JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 7

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Checking if the response contains the field "active". The value of the field is expected to be "true".
  • Checking if the Access Token is not expired.
  • Checking if the Client  ID (aud) stored in the ID Token is the same as in the configuration of the Identity Service.
  • Checking if the issuer (iss) stored in the ID Token is the same as the OIDC Authentication URL in the configuration of the Identity Service.
  • Checking if the account (e-mail) stored in the ID Token is the same as in the field "email" in the answer of the userinfo endpoint.
  • Checking if the signature is valid with the given public key. The public key is accessed from the certs endpoint.  The certs endpoint is the value of jwks_uri  in the response of the /.well-known/openid-configuration call. The response of the certs endpoint includes a number of keys. The  The public key is found in the field "n" in the element that includes the "kid" field with a value  equal to the value of the "kid" field in the header of the ID Token.

Token Renewal

Status
colourYellow
titleTBD

  • calculated from thekey entryusing the value for n and e of the correspending array element where the kid value matches the kid value in the token header. 

Token Renewal

The token contains the value when it will expired. 30s before this happens, the token will be renewed. 



Examples for Use with Identity Providers

...

It is required to configure a Client in the OIDC Identity Provider. The Client specifies the given Client ID and Client Secret during login during login. To achieve this, the token endpoint is called with

  • client-id: The client id that is configured in the JOC Cockpit Identity Servicy
  • client-secret: The client secret that is configured in the JOC Cockpit Identity Servicy
  • grant-type: refresh_token
  • refresh-token: The refresh token that have been provided in the header of the login call.

The JOC-Cockpit sessions expiration time is configured in the JOC Cockpit global settings for Identity Services.

When the session in the Identity Provider is no longer valid, the JOC Cockpit session will end at the point of time when the next session renewal is executed.


Keycloak Identity Provider

...