On Tue, Apr 3, 2018 at 10:20 AM, Schuster Sebastian (INST/ESY1)
<Sebastian.Schuster(a)bosch-si.com> wrote:
I really like 3) because this might be a way of getting around having
to do token signing externally in an HSM, depending on company regulations.
Btw. how about allowing to override token lifetimes also based on the involved
roles/scopes? Lifetimes are essentially a security/efficiency tradeoff and for critical
roles, I would really like to tune that tradeoff towards security.
That would probably be something in the line of creating a token with the minimum
lifetime configured by realm/client/role....
So, each role, scope, protocol mapper could specify a token timeout?
The token issuer logic would just pick the smallest timeout based on
the roles, scopes, protocol mappers used to build the token?
All this would be a compeltely separate feature/PR/Jira.
Work should be broken up into:
* offline access token timeout for realm
* reference tokens
* per client timeouts
* per role, scope, protocol mapper timeouts.
--
Bill Burke
Red Hat