Updating token lifetime

Updating token lifetime in the mapping rule

Scenarios exist where based on an incoming scope, the lifetime of the generated token needs to be modified. A new mapping rule utility is introduced to address these scenarios.

Mapping rule snippet

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);

IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());


IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());

var grant_type = stsuu.getContextAttributes().getAttributeValueByName("grant_type");
var scope_test_param = stsuu.getContextAttributes().getAttributeValueByName("scope");

IDMappingExtUtils.traceString("test_param: " + scope_test_param);

if(scope_test_param != null && scope_test_param == "profile"){
    
    cfgOverride["at_lifetime_in_secs"] = 2000;
    cfgOverride["rt_lifetime_in_secs"] = 4000;
    
}

else if(scope_test_param != null && scope_test_param == "email" && grant_type == "refresh_token"){
    
    cfgOverride["at_lifetime_in_secs"] = 1000;
    cfgOverride["rt_lifetime_in_secs"] = 3000;
    
}
  • cfgOverride is a JSON object, that provides the ability to override, access token and refresh token lifetime.
  • cfgOverride is available only at the pre token mapping rule.
  • at_lifetime_in_secs represents access token lifetime in seconds.
  • rt_lifetime_in_secs represents refresh token lifetime in seconds.
  • at_lifetime_in_secs indicates how long the access token is valid.
  • rt_lifetime_in_secs indicates how long the refresh token is valid.

📘

Note

Refresh token lifetime indicates the grant lifetime, if a refresh token lifetime is set to a value lesser than the access token, when the refresh token expires the entire grant will expire, so the access token belonging to that token will also expire.