...
| Expand |
|---|
| title | OAuth Profile-Specific |
|---|
|
Options specific to generic or OAuth usage of the Token flow: Name | Type | Default | Description |
|---|
resolveAttributes | Boolean | true | Whether to resolve attributes during the token issuance process | grantTypes | Collection<String> | authorization_code, refresh_token | OAuth grant types to allow | accessTokenLifetime | Duration | PT10M | Lifetime of access token issued to client If you customize this, make sure to set the revocation cache lifetime (See Replay and Revocation section later at this page) to at least this length of time. Also check refreshTokenTimeout and use whichever is longer. | refreshTokenLifetime
| Duration
| PT2H
| Lifetime of refresh token issued to client (Deprecated since 3.4)
| refreshTokenTimeout 3.4 | Duration | PT2H | Lifetime of a single refresh token issued to client If you customize this, make sure to set the revocation cache lifetime (See Replay and Revocation section later at this page) to at least this length of time. Also check accessTokenLifetime and use whichever is longer. | refreshTokenChainLifetime 3.4 | Duration | PT2H | Lifetime of the chain of refresh tokens issued to client. The expiration instant is calculated by adding the lifetime to the end-user authentication instant. | forcePKCE | Boolean | false | Whether client is required to use PKCE | allowPKCEPlain | Boolean | false | Whether client is allowed to use PKCE code challenge method "plain" | accessTokenType 3.2 | String | | Format of access token. Supported values are “JWT” or nothing/empty/null, implying opaque tokens. | refreshTokenType 4.1 | String | | Format of refresh token. Supported values are “JWT” or nothing/empty/null, implying opaque tokens. | enforceRefreshTokenRotation 3.2 | Boolean | false | Whether to enforce refresh token rotation. If enabled, the refresh token is revoked whenever it is used for issuing a new refresh token. | accessTokenClaimsSetManipulationStrategy 3.2 | BiFunction<
ProfileRequestContext,
Map<String,Object>,
Map<String,Object>
> | | Manipulation strategy for customising access token claims set contents. The BiFunction inputs are the ProfileRequestContext and the current contents of the claims set as a Map<String,Object>. If the result is non-null, the result (Map<String,Object) is used to replace the contents of the claims set. It is the deployer’s responsibility to ensure the results remain valid/appropriate. | refreshTokenClaimsSetManipulationStrategy 3.2 | BiFunction<
ProfileRequestContext,
Map<String,Object>,
Map<String,Object>
> | | Manipulation strategy for customising refresh token claims set contents. The BiFunction inputs are the ProfileRequestContext and the current contents of the claims set as a Map<String,Object>. If the result is non-null, the result (Map<String,Object) is used to replace the contents of the claims set. It is the deployer’s responsibility to ensure the results remain valid/appropriate. |
The following properties can be used to globally adjust some of the settings above (some of them affect other profiles as well). idp.oauth2.grantTypes idp.oidc.accessToken.defaultLifetime idp.oidc.refreshToken.defaultLifetime (deprecated since v3.4)
idp.oidc.refreshToken.defaultTimeout 3.4 idp.oidc.refreshToken.defaultChainLifetime 3.4 idp.oidc.forcePKCE idp.oidc.allowPKCEPlain idp.oauth2.enforceRefreshTokenRotation 3.2 idp.oauth2.accessToken.type 3.2 idp.oauth2.refreshToken.type 4.1 idp.oauth2.refreshToken.deserializers 4.1 idp.oauth2.refreshToken.serializationStrategies 4.1
|
...
idp.oidc.revocationCache.authorizeCode.lifetime
idp.oidc.revocationCache.StorageService
Since version 3V3.2, via support for revoking single tokens instead of the whole chain (see https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879313/OPRevocation#Configuration), an attempt to use a revoked refresh token causes the whole chain derived from the single revoked token to be revoked. The lifetime for this revocation record is then taken from https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879313/OPRevocation#Configuration.
...