Project: PAT Scanner - ForgeRock/frdp-uma-resource-server GitHub Wiki
Why
The Protection API Token (PAT) may have an expired refresh token
which would disable operations for the given Resource Owner
How
Have a mechanism that would check the collection of Protection API Tokens (PATs) for a "expiring soon" refresh token
.
For those expiring PATs, perform an operation that would generate a new token.
PAT credential
The Resource Server stores the PAT in a credential
database and it has the following format:
{
"access_token" : "goHn5EWMDtq3-0btOC_3SgLTehc",
"refresh_token" : "z8T-Nsd-aleh94-5n82vhxdmxyw",
"scope" : "uma_protection",
"token_type" : "Bearer",
"expires_in" : 3599
}
The expires_in
attribute is for the access_token
, there is no information on when the refresh_token
will expire. It is assumed that the refresh_token
is longer-lived then the access_token
. The expiration of the refresh_token
is determined by the Authorization Server and could be any value from minutes to "never expire".
Update PAT
A solution would be to update the Protection API Token (PAT) before the refresh_token
expires. A "scanner" would check all tokens on a given frequency (most likely daily) and update those that are near to their expiration. The expiration of a PAT would be a configurable value that is derived from the value set by the Authorization Server.
What
PAT database record
The MongoDB record for a credential
has the following information:
{
"_id" : ObjectId("610c54824d55a06d2d5e242e"),
"data" : {
"owner" : "dcrane",
"credential" : {
"access_token" : "goHn5EWMDtq3-0btOC_3SgLTehc",
"refresh_token" : "z8T-Nsd-aleh94-5n82vhxdmxyw",
"scope" : "uma_protection",
"token_type" : "Bearer",
"expires_in" : 3599
},
"category" : "uma_pat"
},
"uid" : "ca4cb6d6-60e6-47af-909d-002411009577",
"timestamps" : {
"created" : "2021-08-05T21:13:38.983+0000",
"updated" : "2021-09-15T15:56:27.554+0000"
}
}
The timestamp
attributes, along with a configurable expiration value, will be used to determine when a PAT needs to be refreshed.