Hi,

Do you have any design recommendation on how to solve an inactive timeout with access token.

Let's say that you have a token that is valid for 60 minutes, but show be revoked if it has not been used for 5 minutes.

Is this possible to solve in a mapping rule? And are there any examples on how to do it? Can you invalidate the token in a mappingrule?

Hello Mikael,

In the OAUTH 2.0 Framework access tokens are by design short lived tokens.

My suggestion would be to make the access token lifetime the value of the inactivity timeout and use a refresh token. Define the refresh token timeout to be the full session timeout.

This would accomplish 2 things.

1) The access token is short lived and short scoped meaning that it would expire and unless the client had the refresh token they could not get another token

2) The refresh token can only be acquired through an authenticated flow. When the refresh token lifetime expires authentication would be required again.

Our product does have a '/revoke' endpoint.

It's also possible to delete tokens using the 'com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.deleteToken​(java.lang.String tokenID)' class and method.

Hi,

Do you have any design recommendation on how to solve an inactive timeout with access token.

Let's say that you have a token that is valid for 60 minutes, but show be revoked if it has not been used for 5 minutes.

Is this possible to solve in a mapping rule? And are there any examples on how to do it? Can you invalidate the token in a mappingrule?

Where you are using ISVA Reverse Proxy as the enforcement point, you can have the RP invalidate the Access Token when the inactivity timer fires (session ends). 


See the OAuth 2.0 Logout endpoint. 

A URL where you can end a session by revoking an access_token. The token must be provided in the Authorization header or a session cookie must be used.

Setting [acnt-mgt] single-signoff-uri to this endpoint ensures that when pkmslogout is called or when the WebSEAL session times out because of inactivity, the access token is revoked.

[acnt-mgt]single-signoff-uri = /mga/sps/oauth/oauth20/logout

If this functionality is not desired, the [acnt-mgt] single-signoff-uri entry must be unset.


I've also written a bunch of stuff on this topic here. https://philipnye.com/2014/07/29/isam-for-web-and-mobile-oauth-authentication-and-sessions/
It's a bit old, but mostly still relevant. 

Hello Mikael,

In the OAUTH 2.0 Framework access tokens are by design short lived tokens.

My suggestion would be to make the access token lifetime the value of the inactivity timeout and use a refresh token. Define the refresh token timeout to be the full session timeout.

This would accomplish 2 things.

1) The access token is short lived and short scoped meaning that it would expire and unless the client had the refresh token they could not get another token

2) The refresh token can only be acquired through an authenticated flow. When the refresh token lifetime expires authentication would be required again.

Our product does have a '/revoke' endpoint.

It's also possible to delete tokens using the 'com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.deleteToken​(java.lang.String tokenID)' class and method.

Hi,

Do you have any design recommendation on how to solve an inactive timeout with access token.

Let's say that you have a token that is valid for 60 minutes, but show be revoked if it has not been used for 5 minutes.

Is this possible to solve in a mapping rule? And are there any examples on how to do it? Can you invalidate the token in a mappingrule?

Hello Philip,

"Where you are using ISVA Reverse Proxy as the enforcement point, you can have the RP invalidate the Access Token when the inactivity timer fires (session ends). "

Does this mean that there is some kind of inactivity timer on the token and if so, is this based on the am_eai_xattr_inactive_timeout value?

Where you are using ISVA Reverse Proxy as the enforcement point, you can have the RP invalidate the Access Token when the inactivity timer fires (session ends). 


See the OAuth 2.0 Logout endpoint. 

A URL where you can end a session by revoking an access_token. The token must be provided in the Authorization header or a session cookie must be used.

Setting [acnt-mgt] single-signoff-uri to this endpoint ensures that when pkmslogout is called or when the WebSEAL session times out because of inactivity, the access token is revoked.

[acnt-mgt]single-signoff-uri = /mga/sps/oauth/oauth20/logout

If this functionality is not desired, the [acnt-mgt] single-signoff-uri entry must be unset.


I've also written a bunch of stuff on this topic here. https://philipnye.com/2014/07/29/isam-for-web-and-mobile-oauth-authentication-and-sessions/
It's a bit old, but mostly still relevant. 

Hello Mikael,

In the OAUTH 2.0 Framework access tokens are by design short lived tokens.

My suggestion would be to make the access token lifetime the value of the inactivity timeout and use a refresh token. Define the refresh token timeout to be the full session timeout.

This would accomplish 2 things.

1) The access token is short lived and short scoped meaning that it would expire and unless the client had the refresh token they could not get another token

2) The refresh token can only be acquired through an authenticated flow. When the refresh token lifetime expires authentication would be required again.

Our product does have a '/revoke' endpoint.

It's also possible to delete tokens using the 'com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.deleteToken​(java.lang.String tokenID)' class and method.

Hi,

Do you have any design recommendation on how to solve an inactive timeout with access token.

Let's say that you have a token that is valid for 60 minutes, but show be revoked if it has not been used for 5 minutes.

Is this possible to solve in a mapping rule? And are there any examples on how to do it? Can you invalidate the token in a mappingrule?

Hello Mikael,

In the OAUTH 2.0 Framework access tokens are by design short lived tokens.

My suggestion would be to make the access token lifetime the value of the inactivity timeout and use a refresh token. Define the refresh token timeout to be the full session timeout.

This would accomplish 2 things.

1) The access token is short lived and short scoped meaning that it would expire and unless the client had the refresh token they could not get another token

2) The refresh token can only be acquired through an authenticated flow. When the refresh token lifetime expires authentication would be required again.

Our product does have a '/revoke' endpoint.

It's also possible to delete tokens using the 'com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.deleteToken​(java.lang.String tokenID)' class and method.

Hi,

Do you have any design recommendation on how to solve an inactive timeout with access token.

Let's say that you have a token that is valid for 60 minutes, but show be revoked if it has not been used for 5 minutes.

Is this possible to solve in a mapping rule? And are there any examples on how to do it? Can you invalidate the token in a mappingrule?