search cancel

SiteMinder : OIDC refresh token validity is not extended when user is active

book

Article ID: 252744

calendar_today

Updated On:

Products

VIP Authentication Hub CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

SiteMinder is the AuthProvider.

OIDC Client setting has refresh_token expiry set to 30 days.

In a mobile_app use case, user would launch the app and login to obtain the access_token and refresh_token.

Although the user is active (launching the mobile app frequently during the 30 days period) the refresh_token expired at the end of 30 days and the user session was rejected.

Environment

Release : 12.8.6

Cause

By design

Resolution

As of SiteMinder R12.8.6, the refresh_token is issued at login and refresh_token does not get extended.

1. There is no option to update refresh_token without user re-login by providing credentials.
2. The maximum refresh_token expiry you can set within SiteMinder is whatever value allowed in the AdminUI. It accepts 3 digits so it would be up to 999 days.
3. It is not advisable to update the session store directly by any means (to manipulate the refresh_token validity).

So the refresh_token expiring at the expiry date is by design.

 

Please upvote the 'idea' at the communities site if you need SiteMinder to have an option to extend the refresh_token.