Updating token lifetime
Updating token lifetime in the mapping rule
Scenarios exist where based on an incoming scope, the lifetime of the generated token needs to be modified. A new mapping rule utility is introduced to address these scenarios.
Mapping rule snippet
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());
var grant_type = stsuu.getContextAttributes().getAttributeValueByName("grant_type");
var scope_test_param = stsuu.getContextAttributes().getAttributeValueByName("scope");
IDMappingExtUtils.traceString("test_param: " + scope_test_param);
if(scope_test_param != null && scope_test_param == "profile"){
cfgOverride["at_lifetime_in_secs"] = 2000;
cfgOverride["rt_lifetime_in_secs"] = 4000;
}
else if(scope_test_param != null && scope_test_param == "email" && grant_type == "refresh_token"){
cfgOverride["at_lifetime_in_secs"] = 1000;
cfgOverride["rt_lifetime_in_secs"] = 3000;
}
- cfgOverride is a JSON object, that provides the ability to override, access token and refresh token lifetime.
- cfgOverride is available only at the pre token mapping rule.
- at_lifetime_in_secs represents access token lifetime in seconds.
- rt_lifetime_in_secs represents refresh token lifetime in seconds.
- at_lifetime_in_secs indicates how long the access token is valid.
- rt_lifetime_in_secs indicates how long the refresh token is valid.
Note
Refresh token lifetime indicates the grant lifetime, if a refresh token lifetime is set to a value lesser than the access token, when the refresh token expires the entire grant will expire, so the access token belonging to that token will also expire.
Updated 2 months ago