I want to change the expiration time of JWT token created in WSO2 Api Manager.
It seems that the default time is 15 minutes.
{"typ":"JWT","alg":"none"}.
{
"iss": "wso2.org/products/am",
"exp": 1464255150998,
...
}
From this link - Wso2 Jira - APIMANAGER-3493 , it seems that we can use "SecurityContextTTL" property in /repository/conf/api-manager.xml under APIKeyManager to change the expiration time of the JWT.
But I could not find this setting available in api-manager.xml (not even as a commented out configuration). I am using wso2am-1.9.1.
Is this property removed from the configurations? If yes, then how can we change the expiration time of the JWT?
Is there any documentation available mentioning about this property and its usage?
Any pointers are appreciated. Thanks.
It should be applied as follows, under APIKeyValidator section,
<APIKeyValidator>
<SecurityContextTTL>5</SecurityContextTTL>
</APIKeyValidator>
But as per the Jira you mentioned, it seems there is a bug in this version.
WSO2 has fixed this in next version(2.0.0), using a new property, see [1].
[1] https://wso2.org/jira/browse/APIMANAGER-4575
Related
I have created a token by using the following API Call
https://wso2identityseverip:port/oauth2/token
I used generated token in my API by postman which is giving an accurate response. But after 15 min of idle state when I use the same token in the API it is giving me an error.
{
"code": "900901",
"message": "Invalid Credentials",
"description": "Access failure for API: /url/1.0.0, version: 1.0.0 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials"}
Requirement:
Token should expire after an hour. For this I have also added following configurations in my deployment.toml.
[session.timeout] idle_session_timeout= "60m" remember_me_session_timeout= "14d" extend_remember_me_session_timeout_on_auth=false
But still token is expiring in 15 min.
The token expiry time is an application-wise config, and the default oauth token timeout is set to 3600 s(1h). If you haven't changed this to 15m, see the following.
If you are experiencing an issue of the invalid token after session time out, it would happen if your application has enabled SSO Session Based access token binding. Also, you have configured to revoke access token at session expiry (this is by default enabled in WSO2IS-5.11.0 onwards https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#revoke-access-tokens-on-logoutsession-expiry).
Regarding session time-out configs:
The idle session time-out configs that you added as follows,
[session.timeout]
idle_session_timeout= "60m"
remember_me_session_timeout= "14d"
are only affected to each tenant that is created after adding the configuration. (Note the note in the green color box https://is.docs.wso2.com/en/5.11.0/learn/configuring-session-timeout/?query=idle_session_timeout#configuration)
In order to change the configs of the already created tenant or carbon.super tenant, you have to log into tenant via the management console, navigate to main tab -> Identity Providers -> Resident, and change the configs there.
Since the error code (code: 900901) is coming from the APIM side, these answers would also help you to troubleshoot
Refer:
https://stackoverflow.com/a/45173578/10055162
https://stackoverflow.com/a/55137885/10055162
I have tried this with latest IS 6.0.0.
You can change the following.
Default validity period for application access tokens
Default validity period for user access tokens
To do you can add the following to the deployment toml (change the values as per your wish).
[oauth.token_validation]
app_access_token_validity=1800
user_access_token_validity=1800
In the latest IS, the default expiry is 3600 seconds (1hr). But in your case it seems it isn't the case. Adding the above config will update the config files but it will not update your already created SP configs. The config change will take an effect from the next SP creation onwards. To update already created SPs, you have to do it from the carbon console Service Provider settings.
When you do this, make sure to change the refresh token validity period as well.
I am working on one scenario where I have add a sequence in the API using restAPI of APIM2.6.0 [https://docs.wso2.com/display/AM260/apidocs/publisher/#!/operations#MediationPolicyCollection#apisApiIdPoliciesMediationPost]
Once the mediation policy is added to the respective API, do we have to publish the API once again. As when I am doing it from publisher once the sequence is added to direction IN, then I am saving it to get it reflected to synapse.
So, I believe if I am adding the same from restAPI, then also I have to republish it again to get it reflected to synapse.
Please let me know if the understanding is correct.
Thanks
Yes, you need to republish the API again to reflect the changes applied. You can check the code when adding a mediation policy for the API in [1].
[1] - https://github.com/wso2/carbon-apimgt/blob/85d02e1864bf77bd53bd269445995ab8e8e9641f/components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher/src/main/java/org/wso2/carbon/apimgt/rest/api/publisher/impl/ApisApiServiceImpl.java#L796
Yes.
Normally, the once the API is published, all the changes will be auto deployed.
So, adding the mediation policies should also reflect without re-publishing the API.
Update
The answer above is for when using the UI. In REST API, we should republish the API.
Document ref: wso2Is520-link-here
Followed the same in this document to setup the account enable/disable property for users.
However, using the RemoteUserStoreManagerService SOAP service, its not updating the claim :
http://wso2.org/claims/identity/accountDisabled
All other claims are updatable, is it a known issue or am I missing something ?
Are you using the setUserClaimValue?
The identity claims (which has the claim URI as "http://wso2.org/claims/identity/xxxxx") can't be updated by the setUserClaimValue method. They can only be updated with setUserClaimValues method.
From WSO2 APIM document here Access Token, there are configurations for default expiration time of access token and refresh token. However, can we set different expiration time of them separately for each applications?
Thank you very much.
You can't configure different expiration time for different application through configuration. But, through the API Store when generating new token, you can provide the expiration time through UI.
Refer this link[1] to see how to set the validity time for an application access token from the API Store UI.
[1] - https://docs.wso2.com/display/AM1100/Working+with+Access+Tokens#WorkingwithAccessTokens-Renewingapplicationaccesstokens
I'm using WSO2 Identity Server 5.0 for SAML SSO and need to have user passwords expire after n days. I found the following properties in identity-mgt.properties but I can't find any documentation on how to use them. Is this functionality implemented/available?
Authentication.Policy.Check.Password.Expire=false
Authentication.Policy.Password.Expire.Time=0
Thanks
These two properties had been introduced initially to IS planning to support password expiry, but the implementation was never done.
if Authentication.Policy.Check.Password.Expire is set to true, then the when the user updates the password, timestamp of password update is set as a user claim.
But Authentication.Policy.Password.Expire.Time is not logically used anywhere in the code base, and ideally should be removed.
Anyways, you can achieve the same functionality in a different way using password policy authenticators in IS. Hope this helps.