Forum Discussion
AlexS_yb
Cirrocumulus
CirrocumulusOAuth APM as Authorisation server
Hi
Got a question I can't seem to get answered.
I have a OAuth authorisation server setup. I have applied the oauth profile and I have a per session policy that use oauth authroization to assign claims and scopes.
The claims are setup based upon session variables.
So the JWT created have 5 in life for access token and 60 min life for refresh token.
So at 5min +1 my client/resource server will access the auth server for a new access token using the refresh token.
I see this on the APM logs on the auth server and the client/resource server.
BUT on the auth server, there is no session alive ! so which auth server session variables is it using.
Does it just use the values that were assigned when the original request was made if thats the case.
How can I . if possible update the information for each request ?
Is it possible
- Matt_Dierick
Employee
Hi AlexS_yb
You right, in Oauth AS use case, APM does not keep session up. As soon as the token is issued, the session is deleted.
If client presents a refresh token, the previous values from the first request should be used.
I'm curious to know which kind of information you want to update during a "token refresh". As if something changed on Owner side, a new authentication is required, then new session var (claims) are issued.
AlexS_ybSome claim information is based upon ldap group membership.
With the current setup a 60 min jwt toekn means that a users permission might last 60min past it being removed.
I was thinking maybe to reduce the refresh token time done and force a new jwt, seem expensive though
- LiefZimmerman
Admin
AlexS_yb - it's been a few days on this one - Have you figured this out yet?
If not - I'll see what help I might drum up.- AlexS_yb
Hi
Nothing as yet, that would be helpful.
Thanks
