fixed default token lifetimes for heart mode

2016-03-18 22:02:28 -04:00 · 2016-03-18 22:02:28 -04:00 · 89316cbab1
parent 9691f02772
commit 89316cbab1
4 changed files with 26 additions and 8 deletions
--- a/openid-connect-server-webapp/src/main/webapp/resources/js/admin.js
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/admin.js
@ -495,7 +495,8 @@ var AppRouter = Backbone.Router.extend({
            		defaultMaxAge:60000,
            		scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
            		accessTokenValiditySeconds:3600,
-            		idTokenValiditySeconds:600,
+            		refreshTokenValiditySeconds:24*3600,
            		idTokenValiditySeconds:300,
            		grantTypes: ["authorization_code"],
            		responseTypes: ["code"],
            		subjectType: "PUBLIC",
--- a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
+++ b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
@ -426,7 +426,7 @@
 				<div class="controls">
 					<% if (!heartMode) { %>
                    <div>
-                        <input type="radio" id="tokenEndpointAuthMethodBasic" name="tokenEndpointAuthMethod" value="SECRET_BASIC" <%-((client.tokenEndpointAuthMethod == 'SECRET_BASIC') || (!tokenEndpointAuthMethod) ? 'checked' : '')%>>
+                        <input type="radio" id="tokenEndpointAuthMethodBasic" name="tokenEndpointAuthMethod" value="SECRET_BASIC" <%-((client.tokenEndpointAuthMethod == 'SECRET_BASIC') || (!client.tokenEndpointAuthMethod) ? 'checked' : '')%>>
                        <label for="tokenEndpointAuthMethodBasic" class="radio" data-i18n="client.client-form.secret-http">Client Secret over HTTP Basic</label>
                    </div>
                    <div>
@ -439,7 +439,7 @@
                    </div>
 					<% } %>
                    <div>
-                        <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="PRIVATE_KEY" <%-((client.tokenEndpointAuthMethod == 'PRIVATE_KEY')  || (heartMode && !tokenEndpointAuthMethod) ? 'checked' : '')%>>
+                        <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="PRIVATE_KEY" <%-((client.tokenEndpointAuthMethod == 'PRIVATE_KEY')  || (heartMode && !client.tokenEndpointAuthMethod) ? 'checked' : '')%>>
                        <label for="tokenEndpointAuthMethodAssym" class="radio" data-i18n="client.client-form.secret-asymmetric-jwt">Asymmetrically-signed JWT assertion</label>
                    </div>
                    <div>
@ -591,7 +591,7 @@
                        <label for="disableRefreshTokenTimeout" class="checkbox" data-i18n="client.client-form.refresh-tokens-no-expire">Refresh tokens do not time out</label>
 					</div>
                    <div>
-                        <input type="text" class="" value="<%-(client.refreshTokenValiditySeconds == null ? '' : refreshTokenValiditySeconds)%>" id="refresh-token-timeout-time" size="16" style="width:8em;">
+                        <input type="text" class="" value="<%-(client.refreshTokenValiditySeconds == null ? '' : client.refreshTokenValiditySeconds)%>" id="refresh-token-timeout-time" size="16" style="width:8em;">
 						<select id="refresh-token-timeout-unit" style="width:8em;">
 							<option data-i18n="client.client-form.seconds">seconds</option>
 							<option data-i18n="client.client-form.minutes">minutes</option>
--- a/openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html
+++ b/openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html
@ -333,7 +333,7 @@
                    </div>
 					<% } %>
                    <div>
-                        <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="private_key_jwt" <%-((client.token_endpoint_auth_method == 'private_key_jwt')  || (heartMode && !tokenEndpointAuthMethod) ? 'checked' : '')%>>
+                        <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="private_key_jwt" <%-((client.token_endpoint_auth_method == 'private_key_jwt')  || (heartMode && !client.tokenEndpointAuthMethod) ? 'checked' : '')%>>
                        <label for="tokenEndpointAuthMethodAssym" class="radio" data-i18n="client.client-form.secret-asymmetric-jwt">Asymmetrically-signed JWT assertion</label>
                    </div>
                    <div>
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
@ -153,9 +153,26 @@ public class DynamicClientRegistrationEndpoint {
 			}
 			// set some defaults for token timeouts
-			newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
+			if (config.isHeartMode()) {
-			newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min
+				// heart mode has different defaults depending on primary grant type
-			newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked
+				if (newClient.getGrantTypes().contains("authorization_code")) {
 					newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
 					newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(5)); // id tokens good for 5min
 					newClient.setRefreshTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(24)); // refresh tokens good for 24hr
 				} else if (newClient.getGrantTypes().contains("implicit")) {
 					newClient.setAccessTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(15)); // access tokens good for 15min
 					newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(5)); // id tokens good for 5min
 					newClient.setRefreshTokenValiditySeconds(0); // no refresh tokens
 				} else if (newClient.getGrantTypes().contains("client_credentials")) {
 					newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(6)); // access tokens good for 6hr
 					newClient.setIdTokenValiditySeconds(0); // no id tokens
 					newClient.setRefreshTokenValiditySeconds(0); // no refresh tokens
 				}
 			} else {
 				newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
 				newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min
 				newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked
 			}
 			// this client has been dynamically registered (obviously)
 			newClient.setDynamicallyRegistered(true);