Overriding OIDC token timeouts: bug or am I overlooking something?

Henri Mikkonen henri.mikkonen at csc.fi
Mon Sep 23 08:46:54 EDT 2019

Hi Keith,

> On 23 Sep 2019, at 1.09, Wessel, Keith <kwessel at illinois.edu> wrote:
> I asked a couple weeks ago about overriding refresh and access token lifetimes for the OIDC extension. I implemented this, but it's causing some very weird behavior. When I put something in like the following, it seems to lose other OIDC configuration values:
>        <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'some_client_id'}}”>
>            <property name="profileConfigurations">
>                <list>
>                    <bean parent="OIDC.SSO" p:accessTokenLifetime="P1D"
> 			p:iDTokenLifetime="P1D" p:refreshTokenLifetime="P1Y" />
>                </list>
>            </property>
>        </bean>
> The result is an ID token that can't be validated because it has our entityID (urn:mace:incommon:uiuc.edu) instead of our issuer (https://shibboleth.illinois.edu). For clients not included in the list that this override bean applies to, things still work. I've also had a client in the list for this bean that requested a userinfo response and got an error back that the endpoint wasn't allowed for that relying party.

It looks like your RelyingPartyByName bean is missing the ‘responderIdLookupStrategy’ attribute definition. That’s why it injects the (SAML) entity ID as the issuer value, and not the OIDC issuer. So, the bean defnition should start with something like the following:

<bean parent="RelyingPartyByName"  p:responderIdLookupStrategy-ref=“profileResponderIdLookupFunction” …


More information about the users mailing list