Updating token lifetime in the mapping rule

Scenarios exist where based on an incoming scope, the lifetime of the generated token needs to be modified. A new mapping rule utility is introduced to address these scenarios.

Mapping rule snippet

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);

IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());


IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());

var grant_type = stsuu.getContextAttributes().getAttributeValueByName("grant_type");
var scope_test_param = stsuu.getContextAttributes().getAttributeValueByName("scope");

IDMappingExtUtils.traceString("test_param: " + scope_test_param);

if(scope_test_param != null && scope_test_param == "profile"){
    
    cfgOverride["at_lifetime_in_secs"] = 2000;
    cfgOverride["rt_lifetime_in_secs"] = 4000;
    
}

else if(scope_test_param != null && scope_test_param == "email" && grant_type == "refresh_token"){
    
    cfgOverride["at_lifetime_in_secs"] = 1000;
    cfgOverride["rt_lifetime_in_secs"] = 3000;
    
}

cfgOverride is a JSON object, that provides the ability to override, access token and refresh token lifetime.
cfgOverride is available only at the pre token mapping rule.
at_lifetime_in_secs represents access token lifetime in seconds.
rt_lifetime_in_secs represents refresh token lifetime in seconds.
at_lifetime_in_secs indicates how long the access token is valid.
rt_lifetime_in_secs indicates how long the refresh token is valid.

📘
Note
Refresh token lifetime indicates the grant lifetime, if a refresh token lifetime is set to a value lesser than the access token, when the refresh token expires the entire grant will expire, so the access token belonging to that token will also expire.

Updating token lifetime in the mapping rule

Mapping rule snippet

📘Note

📘
Note