Layer7 API Management

Hi,

I would like to implement a SSO login in my application where the user consent has an expiration date.

I know that the API Gateway already provides a SSO solution, but I didn't find anything about configuring some sort of lifetime for the user consent.
(Link to the documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html )

Does the API Gateway provide this feature? Is it possible to implement this behavior using the SSO provided by the API Gateway?

Thanks in advance,
Rafael

Hello Rafael,
Oauth and SSO are two different things, when you mention SSO and consent expiration date, are you refering to OAuth and access token lifetime?
if so, the access token lifetime is managed via some context variables in the token variables fragment, where you can change that, it is 1h by default but you can change that value.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/customizing-the-oauth-toolkit/configure-token-lifetime-properties.html

I hope this helps.

If it is not OAuth that you need but something else, please feel free to reply to this message, with more specifics on the SSO protocol that you had in mind: the gateway does support SAML SSO and also integration with the CA SSO solution (AKA Siteminder) but also other integrations/solutions can be implemented if required.

Regards,

------------------------------
Maurizio Garzelli
APIIDA
APIIDA Principal Consultant
https://apiida.com
------------------------------

Original Message:
Sent: 08-03-2020 07:04 PM
From: Rafael Rozendo
Subject: User Consent Expiration

Hi,

I would like to implement a SSO login in my application where the user consent has an expiration date.

I know that the API Gateway already provides a SSO solution, but I didn't find anything about configuring some sort of lifetime for the user consent.
(Link to the documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html )

Does the API Gateway provide this feature? Is it possible to implement this behavior using the SSO provided by the API Gateway?

Thanks in advance,
Rafael

Hello Maurizio,

Thanks for your response.

Yes, I'm talking about Oauth. However, I'm not talking about the access token lifetime.
In Oauth protocol the client application usually asks for some scopes, and the user must grant or deny this permission - the so called "user consent".

This behavior is explained in this page: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html

After login, the user is usually redirected to a consent page (which by default points to /auth/oauth/v2/authorize/consent).



In the previous image, we can see that the client was asking for the "oob" scope, and I had to choose between granting or denying this permission.

Now, what I am really asking is whether or not this consent can have an expiration date. In other words, I would like to grant access to the "oob" scope for (for example) 12 months - or maybe a user-inputted period of time -, and after this period of time the user would have to grant access again.

Best regards,
Rafael
Original Message:
Sent: 08-04-2020 03:17 AM
From: Maurizio Garzelli
Subject: User Consent Expiration

Hello Rafael,
Oauth and SSO are two different things, when you mention SSO and consent expiration date, are you refering to OAuth and access token lifetime?
if so, the access token lifetime is managed via some context variables in the token variables fragment, where you can change that, it is 1h by default but you can change that value.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/customizing-the-oauth-toolkit/configure-token-lifetime-properties.html

I hope this helps.

If it is not OAuth that you need but something else, please feel free to reply to this message, with more specifics on the SSO protocol that you had in mind: the gateway does support SAML SSO and also integration with the CA SSO solution (AKA Siteminder) but also other integrations/solutions can be implemented if required.

Regards,

------------------------------
Maurizio Garzelli
APIIDA
APIIDA Principal Consultant
https://apiida.com

Original Message:
Sent: 08-03-2020 07:04 PM
From: Rafael Rozendo
Subject: User Consent Expiration

Hi,

I would like to implement a SSO login in my application where the user consent has an expiration date.

I know that the API Gateway already provides a SSO solution, but I didn't find anything about configuring some sort of lifetime for the user consent.
(Link to the documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html )

Does the API Gateway provide this feature? Is it possible to implement this behavior using the SSO provided by the API Gateway?

Thanks in advance,
Rafael

Hello Rafael,

The consent here is valid as long as the user has valid tokens or can refresh tokens. Once the user has to login again they will be challenged for consent. 
Original Message:
Sent: 08-04-2020 09:33 AM
From: Rafael Rozendo
Subject: User Consent Expiration

Hello Maurizio,

Thanks for your response.

Yes, I'm talking about Oauth. However, I'm not talking about the access token lifetime.
In Oauth protocol the client application usually asks for some scopes, and the user must grant or deny this permission - the so called "user consent".

This behavior is explained in this page: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html

After login, the user is usually redirected to a consent page (which by default points to /auth/oauth/v2/authorize/consent).

In the previous image, we can see that the client was asking for the "oob" scope, and I had to choose between granting or denying this permission.

Now, what I am really asking is whether or not this consent can have an expiration date. In other words, I would like to grant access to the "oob" scope for (for example) 12 months - or maybe a user-inputted period of time -, and after this period of time the user would have to grant access again.

Best regards,
Rafael
Original Message:
Sent: 08-04-2020 03:17 AM
From: Maurizio Garzelli
Subject: User Consent Expiration

Hello Rafael,
Oauth and SSO are two different things, when you mention SSO and consent expiration date, are you refering to OAuth and access token lifetime?
if so, the access token lifetime is managed via some context variables in the token variables fragment, where you can change that, it is 1h by default but you can change that value.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/customizing-the-oauth-toolkit/configure-token-lifetime-properties.html

I hope this helps.

If it is not OAuth that you need but something else, please feel free to reply to this message, with more specifics on the SSO protocol that you had in mind: the gateway does support SAML SSO and also integration with the CA SSO solution (AKA Siteminder) but also other integrations/solutions can be implemented if required.

Regards,

------------------------------
Maurizio Garzelli
APIIDA
APIIDA Principal Consultant
https://apiida.com

Original Message:
Sent: 08-03-2020 07:04 PM
From: Rafael Rozendo
Subject: User Consent Expiration

Hi,

I would like to implement a SSO login in my application where the user consent has an expiration date.

I know that the API Gateway already provides a SSO solution, but I didn't find anything about configuring some sort of lifetime for the user consent.
(Link to the documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html )

Does the API Gateway provide this feature? Is it possible to implement this behavior using the SSO provided by the API Gateway?

Thanks in advance,
Rafael

Hello Rafael,
Thank you for the clarification.
As mentioned by Barry too, the consent lifetime is related to the lifetime of the token: in effect, the oauth2 token is the proof of consent that the client app is using. Once that token is expired, the client app is considered 'not consented' anymore.
I think that it is all in the perseption:
normally in the past, tokens, cookies and other such elements, were used keep the authenticated session the user, but with OAuth, that is more about authorization session which is in essence are the scopes: with an access token, the app "is consented by the user to access a list of resources" of that user, and this list, is (in simple terms) the scopes.

So by managing the Access_token lifetime, you manage the consent lifetime directly.

If you are concerned about the fact that it seems that it is not the case because, due to the refresh token, as long as the access token is used within the refresh token lifetime, practically the app always has consent, then you can either 'disable' (not produce) the refresh token when creating an access token OR make the lifetime of the refresh token less than the access token, so that once the produced access token expires, the user will be asked to consent again.

I hope this helps

------------------------------
Maurizio Garzelli
APIIDA
APIIDA Chief Technology Advisor APIM
maurizio.garzelli@apiida.com
https://apiida.com
------------------------------

Original Message:
Sent: 08-07-2020 11:29 AM
From: BARRY STERN
Subject: User Consent Expiration

Hello Rafael,

The consent here is valid as long as the user has valid tokens or can refresh tokens. Once the user has to login again they will be challenged for consent. 

Original Message:
Sent: 08-04-2020 09:33 AM
From: Rafael Rozendo
Subject: User Consent Expiration

Hello Maurizio,

Thanks for your response.

Yes, I'm talking about Oauth. However, I'm not talking about the access token lifetime.
In Oauth protocol the client application usually asks for some scopes, and the user must grant or deny this permission - the so called "user consent".

This behavior is explained in this page: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html

After login, the user is usually redirected to a consent page (which by default points to /auth/oauth/v2/authorize/consent).

In the previous image, we can see that the client was asking for the "oob" scope, and I had to choose between granting or denying this permission.

Now, what I am really asking is whether or not this consent can have an expiration date. In other words, I would like to grant access to the "oob" scope for (for example) 12 months - or maybe a user-inputted period of time -, and after this period of time the user would have to grant access again.

Best regards,
Rafael
Original Message:
Sent: 08-04-2020 03:17 AM
From: Maurizio Garzelli
Subject: User Consent Expiration

Hello Rafael,
Oauth and SSO are two different things, when you mention SSO and consent expiration date, are you refering to OAuth and access token lifetime?
if so, the access token lifetime is managed via some context variables in the token variables fragment, where you can change that, it is 1h by default but you can change that value.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/customizing-the-oauth-toolkit/configure-token-lifetime-properties.html

I hope this helps.

If it is not OAuth that you need but something else, please feel free to reply to this message, with more specifics on the SSO protocol that you had in mind: the gateway does support SAML SSO and also integration with the CA SSO solution (AKA Siteminder) but also other integrations/solutions can be implemented if required.

Regards,

------------------------------
Maurizio Garzelli
APIIDA
APIIDA Principal Consultant
https://apiida.com

Original Message:
Sent: 08-03-2020 07:04 PM
From: Rafael Rozendo
Subject: User Consent Expiration

Hi,

I would like to implement a SSO login in my application where the user consent has an expiration date.

I know that the API Gateway already provides a SSO solution, but I didn't find anything about configuring some sort of lifetime for the user consent.
(Link to the documentation: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/login-and-consent-behavior.html )

Does the API Gateway provide this feature? Is it possible to implement this behavior using the SSO provided by the API Gateway?

Thanks in advance,
Rafael