IBM Security Verify

Hello all,

I am working on the Authorization Code flow of OAUTH in ISAM 9.0.7. I am successfully able to receive the Bearer token from the token endpoint using the authorization code generated from the device_selection.html page after authenticating on the reverse proxy. However, that bearer token lifetime is not working as expected and only works for 10 minutes after it has been issued. The access token lifetime configured in the API Protection Definition is 3600 seconds (1 hour), still the token only works for 10 minutes.

I am exploring it using Postman and following behavior is observed:

1. Request sent to token endpoint with Authorization Code and access token received in response with a lifetime of 3599. Request.log on reverse proxy shows this request as unauthenticated (expected behavior)

2. Request sent to SCIM endpoint within 10 minutes of token issuance for fetching pending MMFA transactions of user providing the Bearer token received in the previous step. The response shows the pending transactions (if any). Request.log on reverse proxy shows this request as authenticated with the user id of user for which authorization code was issued (expected behavior)
3. Request sent again to the same SCIM endpoint after 11 minutes of token issuance, using the same access token (expecting that the token should still be valid as the expiry is after 1 hour from the time of issuance). The following response is received:

{
"operation": "login"
}

Request.log on reverse proxy shows this request as unauthenticated.

With this behavior, I believe that the access token lifetime is not working as expected. Is there any other configuration parameter within ISAM AAC that could affect this setting?

I have done the MMFA configuration on the reverse proxy which is handling this traffic. I chose the mobile-only configuration type when configuring using the LMI.

Looking forward to the comments,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hello Jahanzaib,

I suspect the 10 minute time is related to the inactivity timeout on the Reverse Proxy.

After validating a received Access Token, the Reverse Proxy generates a web session.  Requests received within this session are authenticated without the need to validate the Access Token every time (important for performance).  However, by default, this session will time out after 10 minutes of inactivity.

What *should* happen when the next request comes in with the Access Token is that the Reverse Proxy validates this token again and builds a new web session.  So, the question here is "why is the 2nd validation of the Access Token failing?".

I suspect the answer is that the OAuth definition you are using has been set for "Single use authorization grant".  This means the Access Token can only be validated once.  You need to disable this property to allow the Access Token to be validated again (as long as it is still valid).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon July 06, 2020 05:02 PM
From: Jahanzaib Sarwar
Subject: ISAM: Access Token Lifetime Issue in OAUTH

Hello all,

I am working on the Authorization Code flow of OAUTH in ISAM 9.0.7. I am successfully able to receive the Bearer token from the token endpoint using the authorization code generated from the device_selection.html page after authenticating on the reverse proxy. However, that bearer token lifetime is not working as expected and only works for 10 minutes after it has been issued. The access token lifetime configured in the API Protection Definition is 3600 seconds (1 hour), still the token only works for 10 minutes.

I am exploring it using Postman and following behavior is observed:

1. Request sent to token endpoint with Authorization Code and access token received in response with a lifetime of 3599. Request.log on reverse proxy shows this request as unauthenticated (expected behavior)

2. Request sent to SCIM endpoint within 10 minutes of token issuance for fetching pending MMFA transactions of user providing the Bearer token received in the previous step. The response shows the pending transactions (if any). Request.log on reverse proxy shows this request as authenticated with the user id of user for which authorization code was issued (expected behavior)
3. Request sent again to the same SCIM endpoint after 11 minutes of token issuance, using the same access token (expecting that the token should still be valid as the expiry is after 1 hour from the time of issuance). The following response is received:

{
"operation": "login"
}

Request.log on reverse proxy shows this request as unauthenticated.

With this behavior, I believe that the access token lifetime is not working as expected. Is there any other configuration parameter within ISAM AAC that could affect this setting?

I have done the MMFA configuration on the reverse proxy which is handling this traffic. I chose the mobile-only configuration type when configuring using the LMI.

Looking forward to the comments,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hello Jon,

Thank you for your response.

Yes, you mentioned it correctly, the question is "why is the 2nd validation of the Access Token failing?".

Yes, the OAuth definition is set for "Single use authorization grant". But we have this set in another environment as well where the flow is working fine. Also, I believe this is the same OAUTH configuration used for IBM Verify as per the cookbook, but IBM Verify successfully fetches the access token even after 10 minutes. So, a little confused here..

Regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Fri July 17, 2020 06:58 AM
From: Jon Harry
Subject: ISAM: Access Token Lifetime Issue in OAUTH

Hello Jahanzaib,

I suspect the 10 minute time is related to the inactivity timeout on the Reverse Proxy.

After validating a received Access Token, the Reverse Proxy generates a web session.  Requests received within this session are authenticated without the need to validate the Access Token every time (important for performance).  However, by default, this session will time out after 10 minutes of inactivity.

What *should* happen when the next request comes in with the Access Token is that the Reverse Proxy validates this token again and builds a new web session.  So, the question here is "why is the 2nd validation of the Access Token failing?".

I suspect the answer is that the OAuth definition you are using has been set for "Single use authorization grant".  This means the Access Token can only be validated once.  You need to disable this property to allow the Access Token to be validated again (as long as it is still valid).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon July 06, 2020 05:02 PM
From: Jahanzaib Sarwar
Subject: ISAM: Access Token Lifetime Issue in OAUTH

Hello all,

I am working on the Authorization Code flow of OAUTH in ISAM 9.0.7. I am successfully able to receive the Bearer token from the token endpoint using the authorization code generated from the device_selection.html page after authenticating on the reverse proxy. However, that bearer token lifetime is not working as expected and only works for 10 minutes after it has been issued. The access token lifetime configured in the API Protection Definition is 3600 seconds (1 hour), still the token only works for 10 minutes.

I am exploring it using Postman and following behavior is observed:

1. Request sent to token endpoint with Authorization Code and access token received in response with a lifetime of 3599. Request.log on reverse proxy shows this request as unauthenticated (expected behavior)

2. Request sent to SCIM endpoint within 10 minutes of token issuance for fetching pending MMFA transactions of user providing the Bearer token received in the previous step. The response shows the pending transactions (if any). Request.log on reverse proxy shows this request as authenticated with the user id of user for which authorization code was issued (expected behavior)
3. Request sent again to the same SCIM endpoint after 11 minutes of token issuance, using the same access token (expecting that the token should still be valid as the expiry is after 1 hour from the time of issuance). The following response is received:

{
"operation": "login"
}

Request.log on reverse proxy shows this request as unauthenticated.

With this behavior, I believe that the access token lifetime is not working as expected. Is there any other configuration parameter within ISAM AAC that could affect this setting?

I have done the MMFA configuration on the reverse proxy which is handling this traffic. I chose the mobile-only configuration type when configuring using the LMI.

Looking forward to the comments,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------