Hello all,
I am working on the Authorization Code flow of OAUTH in ISAM 9.0.7. I am successfully able to receive the Bearer token from the token endpoint using the authorization code generated from the device_selection.html page after authenticating on the reverse proxy. However, that bearer token lifetime is not working as expected and only works for 10 minutes after it has been issued. The access token lifetime configured in the API Protection Definition is 3600 seconds (1 hour), still the token only works for 10 minutes.
I am exploring it using Postman and following behavior is observed:
1. Request sent to token endpoint with Authorization Code and access token received in response with a lifetime of 3599. Request.log on reverse proxy shows this request as unauthenticated (expected behavior)
2. Request sent to SCIM endpoint within 10 minutes of token issuance for fetching pending MMFA transactions of user providing the Bearer token received in the previous step. The response shows the pending transactions (if any). Request.log on reverse proxy shows this request as authenticated with the user id of user for which authorization code was issued (expected behavior)
3. Request sent again to the same SCIM endpoint after 11 minutes of token issuance, using the same access token (expecting that the token should still be valid as the expiry is after 1 hour from the time of issuance). The following response is received:
{
"operation": "login"
}
Request.log on reverse proxy shows this request as unauthenticated.
With this behavior, I believe that the access token lifetime is not working as expected. Is there any other configuration parameter within ISAM AAC that could affect this setting?
I have done the MMFA configuration on the reverse proxy which is handling this traffic. I chose the mobile-only configuration type when configuring using the LMI.
Looking forward to the comments,
Best regards,
------------------------------
Jahanzaib Sarwar
------------------------------