Overriding OIDC token timeouts: bug or am I overlooking something?

Wessel, Keith kwessel at illinois.edu
Wed Sep 25 16:56:04 EDT 2019 

Just wanted to circle back and thank Henri and Scott for the help. The responder ID lookup strategy bean ref fixed the wrong issuer ID, and the adding of the additional beans fixed the error about the userinfo profile not being supported. For anyone needing it, the end result when overriding OIDC parameters looks something like this in your relying-party.xml:

        <bean parent="RelyingPartyByName" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" c:relyingPartyIds="#{{'some_client_id'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="OIDC.SSO" p:accessTokenLifetime="P1D"
			p:iDTokenLifetime="P1D" p:refreshTokenLifetime="P1Y" />
		    <bean parent="OIDC.UserInfo"/>
		    <bean parent="OAUTH2.Revocation"/>
                </list>
            </property>
        </bean>
        
Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Henri Mikkonen
Sent: Monday, September 23, 2019 7:47 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Overriding OIDC token timeouts: bug or am I overlooking something?

Hi Keith,

> On 23 Sep 2019, at 1.09, Wessel, Keith <kwessel at illinois.edu> wrote:
> I asked a couple weeks ago about overriding refresh and access token lifetimes for the OIDC extension. I implemented this, but it's causing some very weird behavior. When I put something in like the following, it seems to lose other OIDC configuration values:
> 
>        <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'some_client_id'}}”>
>            <property name="profileConfigurations">
>                <list>
>                    <bean parent="OIDC.SSO" p:accessTokenLifetime="P1D"
> 			p:iDTokenLifetime="P1D" p:refreshTokenLifetime="P1Y" />
>                </list>
>            </property>
>        </bean>
> 
> The result is an ID token that can't be validated because it has our entityID (urn:mace:incommon:uiuc.edu) instead of our issuer (https://shibboleth.illinois.edu). For clients not included in the list that this override bean applies to, things still work. I've also had a client in the list for this bean that requested a userinfo response and got an error back that the endpoint wasn't allowed for that relying party.

It looks like your RelyingPartyByName bean is missing the ‘responderIdLookupStrategy’ attribute definition. That’s why it injects the (SAML) entity ID as the issuer value, and not the OIDC issuer. So, the bean defnition should start with something like the following:

<bean parent="RelyingPartyByName"  p:responderIdLookupStrategy-ref=“profileResponderIdLookupFunction” …

BR,
Henri.
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list