fixed default token lifetimes for heart mode

Author: jricher

openid-connect-server-webapp/src/main/webapp/resources/js/admin.js

@@ -495,7 +495,8 @@ var AppRouter = Backbone.Router.extend({
  defaultMaxAge:60000,
  scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
  accessTokenValiditySeconds:3600,
- idTokenValiditySeconds:600,
+ refreshTokenValiditySeconds:24*3600,
+ idTokenValiditySeconds:300,
  grantTypes: ["authorization_code"],
  responseTypes: ["code"],
  subjectType: "PUBLIC",

openid-connect-server-webapp/src/main/webapp/resources/template/client.html

@@ -426,7 +426,7 @@ <h1 data-i18n="client.client-form.edit"></h1>
 <div class="controls">
 <% if (!heartMode) { %>
  <div>
- <input type="radio" id="tokenEndpointAuthMethodBasic" name="tokenEndpointAuthMethod" value="SECRET_BASIC" <%-((client.tokenEndpointAuthMethod == 'SECRET_BASIC') || (!tokenEndpointAuthMethod) ? 'checked' : '')%>>
+ <input type="radio" id="tokenEndpointAuthMethodBasic" name="tokenEndpointAuthMethod" value="SECRET_BASIC" <%-((client.tokenEndpointAuthMethod == 'SECRET_BASIC') || (!client.tokenEndpointAuthMethod) ? 'checked' : '')%>>
  <label for="tokenEndpointAuthMethodBasic" class="radio" data-i18n="client.client-form.secret-http">Client Secret over HTTP Basic</label>
  </div>
  <div>
@@ -439,7 +439,7 @@ <h1 data-i18n="client.client-form.edit"></h1>
  </div>
 <% } %>
  <div>
- <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="PRIVATE_KEY" <%-((client.tokenEndpointAuthMethod == 'PRIVATE_KEY') || (heartMode && !tokenEndpointAuthMethod) ? 'checked' : '')%>>
+ <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="PRIVATE_KEY" <%-((client.tokenEndpointAuthMethod == 'PRIVATE_KEY') || (heartMode && !client.tokenEndpointAuthMethod) ? 'checked' : '')%>>
  <label for="tokenEndpointAuthMethodAssym" class="radio" data-i18n="client.client-form.secret-asymmetric-jwt">Asymmetrically-signed JWT assertion</label>
  </div>
  <div>
@@ -591,7 +591,7 @@ <h1 data-i18n="client.client-form.edit"></h1>
  <label for="disableRefreshTokenTimeout" class="checkbox" data-i18n="client.client-form.refresh-tokens-no-expire">Refresh tokens do not time out</label>
 </div>
  <div>
- <input type="text" class="" value="<%-(client.refreshTokenValiditySeconds == null ? '' : refreshTokenValiditySeconds)%>" id="refresh-token-timeout-time" size="16" style="width:8em;">
+ <input type="text" class="" value="<%-(client.refreshTokenValiditySeconds == null ? '' : client.refreshTokenValiditySeconds)%>" id="refresh-token-timeout-time" size="16" style="width:8em;">
 <select id="refresh-token-timeout-unit" style="width:8em;">
 <option data-i18n="client.client-form.seconds">seconds</option>
 <option data-i18n="client.client-form.minutes">minutes</option>

openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html

@@ -333,7 +333,7 @@ <h1 data-i18n="client.client-form.edit"></h1>
  </div>
 <% } %>
  <div>
- <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="private_key_jwt" <%-((client.token_endpoint_auth_method == 'private_key_jwt') || (heartMode && !tokenEndpointAuthMethod) ? 'checked' : '')%>>
+ <input type="radio" id="tokenEndpointAuthMethodAssym" name="tokenEndpointAuthMethod" value="private_key_jwt" <%-((client.token_endpoint_auth_method == 'private_key_jwt') || (heartMode && !client.tokenEndpointAuthMethod) ? 'checked' : '')%>>
  <label for="tokenEndpointAuthMethodAssym" class="radio" data-i18n="client.client-form.secret-asymmetric-jwt">Asymmetrically-signed JWT assertion</label>
  </div>
  <div>

openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java

@@ -153,9 +153,26 @@ public String registerNewClient(@RequestBody String jsonString, Model m) {
 }
 
 // set some defaults for token timeouts
-newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
-newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min
-newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked
+if (config.isHeartMode()) {
+// heart mode has different defaults depending on primary grant type
+if (newClient.getGrantTypes().contains("authorization_code")) {
+newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
+newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(5)); // id tokens good for 5min
+newClient.setRefreshTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(24)); // refresh tokens good for 24hr
+} else if (newClient.getGrantTypes().contains("implicit")) {
+newClient.setAccessTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(15)); // access tokens good for 15min
+newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(5)); // id tokens good for 5min
+newClient.setRefreshTokenValiditySeconds(0); // no refresh tokens
+} else if (newClient.getGrantTypes().contains("client_credentials")) {
+newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(6)); // access tokens good for 6hr
+newClient.setIdTokenValiditySeconds(0); // no id tokens
+newClient.setRefreshTokenValiditySeconds(0); // no refresh tokens
+}
+} else {
+newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
+newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min
+newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked
+}
 
 // this client has been dynamically registered (obviously)
 newClient.setDynamicallyRegistered(true);