OIDC extension: refresh and validate endpoints?

Wessel, Keith kwessel at illinois.edu
Thu Sep 5 17:31:35 EDT 2019 

Thanks, Henri. This is excellent news. I figured there wouldn’t be something in this extension that required me to use server-side session storage. Once again, nice work on this implementation.

Thanks, all, for the help on this.

Keith


From: users <users-bounces at shibboleth.net> On Behalf Of Henri Mikkonen
Sent: Monday, September 2, 2019 1:38 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: OIDC extension: refresh and validate endpoints?

Hi,

Actually no storage services are used for the state of refresh tokens with the current implementation. They contain all the data by themselves in encrypted form. Their IDs are verified against revocation cache that can be set with the idp.oidc.revocationCache.StorageService -property (shibboleth.StorageService by default).

The lifetime of the refresh tokens can be set in the profile configuration, see https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CSCfi_shibboleth-2Didp-2Doidc-2Dextension_wiki_OIDC.SSO&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=2ERBnv_hmATkLrFo9IGgSTIJkkZL1ljF18WCoTc8nrI&m=VzFydcINFR-h4U-M88vLkCIhMXK3X0P_jSEoXNlhebI&s=4FK0uNHDmmHmZx-T3FP2izOTELRIFqK-NxwNL4GgHYA&e=

BR,
Henri.

________________________________________
From: "Wessel, Keith" <mailto:kwessel at illinois.edu>
To: "Shib Users" <mailto:users at shibboleth.net>
Sent: Friday, 30 August, 2019 22:37:56
Subject: RE: OIDC extension: refresh and validate endpoints?

Thanks, Liam. And would that use the same session storage as my IdP’s session storage for SAML-based sessions? I assume they’re the same.
 
Keith
 
 
From: users <mailto:users-bounces at shibboleth.net> On Behalf Of Liam Hoekenga
Sent: Friday, August 30, 2019 2:28 PM
To: Shib Users <mailto:users at shibboleth.net>
Subject: Re: OIDC extension: refresh and validate endpoints?
 
One more question based on what Liam brought up: what property controls the storage service to use for refresh tokens? I don’t see a storage setting for this in idp-oidc.properties. I only see dynamic registrations, remote JWK sets, and the revocation cache which, obviously, all must be server-side.
 
I'm pretty sure it they just use the same storage service that the rest of the tokens use (session storage)
 
Liam 

-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwQFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=2ERBnv_hmATkLrFo9IGgSTIJkkZL1ljF18WCoTc8nrI&m=VzFydcINFR-h4U-M88vLkCIhMXK3X0P_jSEoXNlhebI&s=ifOmKmFyOqYhxEDB3ZpY-zcNJ8u-SzxiiE8jrU18-nw&e=
To unsubscribe from this list send an email to mailto:users-unsubscribe at shibboleth.net

More information about the users mailing list