PhenixID DocumentationPhenixID Authentication ServicesSolutions OpenIDConnect (OIDC) / OAuthHow to configure PhenixID Authentication Services to issue refresh tokens

How to configure PhenixID Authentication Services to issue refresh tokens

Requirements

  • PhenixID Authentication Services version 4.3 or higher
  • PhenixID Authentication Services configured with an OpenID Connect Provider

Overview

This instruction explains how to configure PhenixID Authentication Services to issue refresh_token when used as an OpenID Connect Provider or OAuth Authorization Server.

Please note that the configuration setup below use sessions as the persistance layer for refresh tokens. Session lifetimes are restricted for security reasons and normally lasts for a maximum of 4 hours, based on server configuration.

For long-lived refresh_tokens, please use an external SQL or LDAP source as the persistance layer. This is feasible with PhenixID Authentication Services but requires more configuration. Please consult PhenixID professional services for such configuration assistance.

Configuration

  • Login to Configuration Manager
  • Select Scenarios->OIDC->YOUR_OIDC_PROVIDER
  • Click Execution flow
  • Expand Token endpoint
  • This complete execution flow picture shows which valves have been added / changed (a valve with a comment after the : has been added or changed). Below the picture you will find an instruction on each change.

New or changed valves, from top to bottom:

  1. ItemCreateValve - Move from original spot.
  2. UUIDCreateValve - Add new. Enter name = refresh_token. Move valve.
  3. SessionCreateValve - Add new. Move valve.
  4. SessionBindValve - Add new. Enter alias = {{item.refresh_token}}. Move valve
  5. SessionPersistValve - Add new. Move valve
  6. SessionResolveValve. Use original valve. Enter Execute-if-expression = request.get('grant_type').equals('authorization_code')
  7. SessionResolveValve. Add valve. Enter alias = {{request.refresh_token}}. Enter Execute-if-expression = request.get('grant_type').equals('refresh_token'). Move valve
  8. PropertyFromSessionToItem. Add valve. Enter source = access_token_session_pointer. Enter Execute-if-expression = request.get('grant_type').equals('refresh_token'). Move valve
  9. SessionRemoveValve - Add new. Enter Execute-if-expression = request.get('grant_type').equals('refresh_token'). Move valve
  10. SessionResolveValve. Add valve. Enter alias = {{item.access_token_session_pointer}}. Enter Execute-if-expression = request.get('grant_type').equals('refresh_token'). Move valve
  11. OIDCTokenRequestValidationValve - Deselect Enabled
  12. SessionTouchValve - Add new. Move valve
  13. SessionResolveValve. Add valve. Enter alias = {{item.refresh_token}}.  Move valve
  14. SessionPropertyAddValve. Add valve. Enter name = access_token_session_pointer. Enter value = {{item.access_token}}.  Move valve
  15. SessionPersistValve - Add new. Move valve
  16. PropertyRemoveValve - Use original. Enter property name = subject_id,access_token_session_pointer. Move to be executed last.

Save the config.