cas 6.x oauth always returns new token

[Pablo Vidaurri]

I have following properties set for oauth:

cas.authn.oauth.refreshToken.timeToKillInSeconds=600

cas.authn.oauth.code.timeToKillInSeconds=30

cas.authn.oauth.code.numberOfUses=10

# cas.authn.oauth.accessToken.releaseProtocolAttributes=true

cas.authn.oauth.accessToken.timeToKillInSeconds=120

cas.authn.oauth.accessToken.maxTimeToLiveInSeconds=300

When requesting a token:

https://localhost:8443/auth/oauth2.0/accessToken?grant_type=client_credentials&client_id=cmy_lient&client_secret=my_secret

I get back the following response:

{"access_token":"AT-4-s9-FYTG-vskd2ixSf3-CtgvjXZ-lSyY9","refresh_token":"RT-4-MdOJ6CoOi35hy8U8kASdb3gIahNvwL--","token_type":"bearer","expires_in":300,"scope":""}

Good so far. Now if I wait for a few second and make the same request to get a token (same client id), I end up with the a new token. Should I not be getting the same token back until it expires with an updated "expires_in" value?

Is this a config issue? Is it possible to change the behavior to issue the same token for a client id that has not expired yet?

-psv

[Andy Ng]

Hi psv,

This behavior you described is by OAuth 2 design, wasn't really CAS doing something weird.

For your above step, after your client get the access_token, you are suppose to store it somewhere (maybe in session or somewhere else), instead of throwing it away and getting a new access_token everytime.

After you stored it, you can use the stored access_token and  call to  OAuth user_info endpoint, and get the user profile. 

So. then what is the "expires_in" stands for? It is stands for the valid storing duration of each access_token, after the duration, your access_token will be invalid, and need to call to /accessToken to renew.

Since this is OAuth behaivor, I highly doubt there are any setting to allow your described use case to come true. 

Actually, after you get a new acces_token, you can still use both the new and old one to get user profile. So I guess if you really don't want to store the access_token, just  get a new one everytime is still valid, although kind of resiource intensive...

Hope this helps!

Cheers!

- Andy

[Pablo Vidaurri]

Thanks for the response. It's just not the behavior when using a spring based oauth server.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/yYFeFr7PmZY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ab31fc3-e930-4439-9ae3-f6c079d65c43%40apereo.org.