Overriding OIDC token timeouts: bug or am I overlooking something?

Wessel, Keith kwessel at illinois.edu
Sun Sep 22 18:09:55 EDT 2019

Hi, All,

I asked a couple weeks ago about overriding refresh and access token lifetimes for the OIDC extension. I implemented this, but it's causing some very weird behavior. When I put something in like the following, it seems to lose other OIDC configuration values:

        <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'some_client_id'}}">
            <property name="profileConfigurations">
                    <bean parent="OIDC.SSO" p:accessTokenLifetime="P1D"
			p:iDTokenLifetime="P1D" p:refreshTokenLifetime="P1Y" />

The result is an ID token that can't be validated because it has our entityID (urn:mace:incommon:uiuc.edu) instead of our issuer (https://shibboleth.illinois.edu). For clients not included in the list that this override bean applies to, things still work. I've also had a client in the list for this bean that requested a userinfo response and got an error back that the endpoint wasn't allowed for that relying party.

If I override values for OIDC.SSO, do I need to include additional parameters to override? Seems like it should be using the defaults.

If it matters, I'm including the OIDC relying party beans with a <import> element. I'm including this at the end of my relying-party.xml, but I've tried moving it up to the top as the first element inside the parent <beans> eelement with the same results.

Any help appreciated because, with this situation, my only option is to globally override OIDC token timeout values.


More information about the users mailing list