Run custom script on /token refresh_token GET

By: Bart Peeters user 04 Sep 2020 at 4:22 a.m. CDT

3 Responses
Bart Peeters gravatar
When the user does a http GET request to /token to get a new refresh token we would like to be able to do a check to an external api to verify the user associated to the refresh token is still active. What custom script type should I use for this? Custom Authentication and Postauthn scripts do not seem to be executed when getting a refresh token. The custom script should stop Gluu from returning a new refresh token. Kind regards, Bart
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 14 Sep 2020 at 11:18 a.m. CDT

Copy
Michael Schwartz gravatar
Are you using reference tokens or JWT tokens? If JWT, then the introspection script will run. If reference tokens, then perhaps you should just wait for the client to hit the introspection endpoint.

By Bart Peeters user 21 Sep 2020 at 3:51 a.m. CDT

Copy
Bart Peeters gravatar
We are mainly using the id token. In our current configuration the id token expires after 30 days, then the client should make a /token GET request which returns a new id token (using openidScopeBackwardCompatibility: true) which is valid for the next 30 days. Our refresh tokens expire after 5 years. We would like to run a custom script whet this GET /token is executed, or when an id JWT token is created.

By Michael Schwartz Account Admin 30 Sep 2020 at 1:55 p.m. CDT

Copy
Michael Schwartz gravatar
Don't use the id_token as an OAuth access token. This is a terrible practice. The id_token is an identity_assertion, like a SAML assertion. The only way to refresh the id_token is to re-authenticate the subject.

Post an answer