OIDC extension: refresh and validate endpoints?
Henri Mikkonen
henri.mikkonen at csc.fi
Mon Sep 2 14:38:19 EDT 2019
Hi,
Actually no storage services are used for the state of refresh tokens with the current implementation. They contain all the data by themselves in encrypted form. Their IDs are verified against revocation cache that can be set with the idp.oidc.revocationCache.StorageService -property (shibboleth.StorageService by default).
The lifetime of the refresh tokens can be set in the profile configuration, see [ https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/OIDC.SSO | https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/OIDC.SSO ]
BR,
Henri.
From: "Wessel, Keith" <kwessel at illinois.edu>
To: "Shib Users" <users at shibboleth.net>
Sent: Friday, 30 August, 2019 22:37:56
Subject: RE: OIDC extension: refresh and validate endpoints?
Thanks, Liam. And would that use the same session storage as my IdP’s session storage for SAML-based sessions? I assume they’re the same.
Keith
From: users <users-bounces at shibboleth.net> On Behalf Of Liam Hoekenga
Sent: Friday, August 30, 2019 2:28 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: OIDC extension: refresh and validate endpoints?
One more question based on what Liam brought up: what property controls the storage service to use for refresh tokens? I don’t see a storage setting for this in idp-oidc.properties. I only see dynamic registrations, remote JWK sets, and the revocation cache which, obviously, all must be server-side.
I'm pretty sure it they just use the same storage service that the rest of the tokens use (session storage)
Liam
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190902/14381bef/attachment.html>
More information about the users
mailing list