OpenAM : Saving OAuth2 consent

Saving OAuth2 consent: when configured as an OAuth2 service provider, OpenAM is capable of saving the user’s consent. This prevent the resource owner from having to validate the authorization consent each time for the same client and scopes.

To save OAuth2 consent, one has to use a multi-valued LDAP attribute in which OpenAM will store the consent string (formed by the application client name and the scopes). Regarding this point, the OpenAM documentation states the following :

« Add a multi-valued string syntax profile attribute to your identity repository. OpenAM stores resource owners’ consent to authorize client access in this profile attribute. On subsequent requests from the same client for the same scopes, the resource owner no longer sees the authorization page.
You are not likely to find a standard profile attribute for this. For evaluation purposes only, you might try an unused existing profile attribute, such as description.
When moving to production, however, use a dedicated, multi-valued, string syntax profile attribute that clearly is not used for other purposes. For example, you might call the attribute oAuth2SavedConsent. »

Important : Even if you decide to only test this feature, let’s say using the description attribute, you will still have to  add it in the datastore identity attributes list, otherwise, the consent value will never be saved. However, when moving to production, you will have to properly add from scratch a new consent repository attribute, as described here.

Daly

Daly

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Daly

Les derniers articles par Daly (tout voir)