Skip to content

Latest commit

 

History

History
319 lines (194 loc) · 7.1 KB

token-policy-configuration-for-applications-c4ba52e.md

File metadata and controls

319 lines (194 loc) · 7.1 KB

Token Policy Configuration for Applications

Set the token policy for a specific OpenID Connect application. Configure the validity of the refresh token, access and id_token, and the maximum sessions per user.

Context

Token Policy

The following table lists the token policy options for OIDC applications.

Token Policy Configuration Parameters

Parameter

Description

Refresh Token

Sets the refresh token lifetime issued by Identity Authentication. The value can range from 1 to 4320 hours, in other words, from 1 hour to 180 days.

The default value is 12 hours.

Note:

  • If the validity of refresh tokens is less than the validity of access/ID tokens, access/ID tokens can't be refreshed after the access/ID tokens expire.

  • When using the authorization code flow, if you set the token policy for refresh tokens longer than the session timeout, add the offline_access scope to your authorization code request. Without this scope, the service deletes the refresh token from the database when the resource owner ends the session (logs out). Without the refresh token, the OAuth client can't request new tokens anymore.

    For more information, see:

Access / ID Token

Sets the access and id_token lifetime issued by Identity Authentication. The value can range from 1 to 720 minutes, in other words, from 1 minute to 12 hours.

The default value is 60 minutes.

Max sessions per user

Determines the maximum number of tokens that the service issues for the same session in parallel. Imagine you’re logged on to the application through a web interface and a command-line interface in parallel. Then you'd set this parameter to 2. The value can range from 1 to 10.

The default value is 1.

Remember:

The default configurations for the token policy per application are equal to the tenant token policy. If you configure new values for an application, the service ignores the tenant token policy for that application. For more information about the tenant token policy, see Tenant OpenID Connect Configurations

Advanced Settings

Refresh Token Usage After Renewal

When refresh token flows fail, you can enable the server to accept a refresh token that was already submitted. Normally, a refresh token can only be used once. The configuration aims to solve issues, for example network problems in refresh token calls, and allow an application to retry this call. Define the behavior of clients depending on your scenario and the risk. If you extend the rotation life time, we recommend revoking existing tokens with a separate call.

Refresh Token Usage After Renewal

Settings

Description

Off (Default)

The new refresh token immediately invalidates the old one.

Online scenarios

The new refresh token is created and the old one is still active for 5 minutes.

Mobile scenarios

The new and old refresh token are valid during the configured refresh token life time.

Note:

For online and mobile scenarios, calls to refresh the old refresh token end in the new token. Calls with the new refresh token, invalidates the old refresh token.

Access Token Format

Settings

Description

Grant-Type Dependent (Default)

The format of the token depends on the grant type. It is as folows:

  • Authorization Code Flow - JWT
  • Client Credentials Flow - JWT
  • Resource Owner Password Credentials Flow - opaque
  • Token Exchange - opaque
  • JWT Bearer Flow - opaque
  • Refresh Token Endpoint - opaque

JSON Web Token

All tokens are generated in the JWT format.

Opaque

All tokens are generated in the opaque format.

Maximum Exchange Period

With the Maximum Exchange Period you can set limits on how long the application can exchange user tokens without reauthenticating after having acquired the initial token.

Maximum Exchange Period

Settings

Description

Unlimited (Default)

The application can exchange user tokens without reauthenticating after having acquired the initial token without any limits.

Maximum Session Validity

The period equals to the maximum value for the session validity which is 12 hours.

Initial Refresh Token Validity

The period is valid until the initial refresh expires no matter how many times a refresh token is exchanged to a newer refresh token.

To configure the token policy, proceed as follows:

Procedure

  1. Sign in to the administration console for SAP Cloud Identity Services.

  2. Under Applications and Resources, choose the Applications tile.

  3. Choose the application that you want to edit.

    Note:

    Type the name of the application in the search field to filter the list items, or choose the application from the list on the left.

    If you don’t have a created application in your list, you can create one. For more information, see Create a New Application.

  4. Choose the Trust tab.

  5. Under SINGLE SIGN-ON, choose OpenID Connect Configuration.

  6. Manually configure the token policy for the application. Use the slider or provide a number in the input field above the slider.

    If needed, use the reset button to set to the default value.

  7. Optional: Choose values for the Advanced Settings configuration from the drop-downs.

  8. Save your changes.

Related Information

Redirect URIs, Post Logout Redirect URI Rules

Logout URI Rules

Configure Grant Types

Tenant OpenID Connect Configurations