April 18, 2018 at 5:30 pm #21524
We want to invalidate all the access token and refresh token issued to the user during reset password and change username.
I am able to locate the token on opendj by below query. But do we have any factory class from where i will get the opendj connection object from openam for configuration store.
./ldapsearch -h localhost -p 50389 -D “cn=Directory Manager” -w cangeit -b “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org” “(&(coreTokenString03=demo)(coreTokenString09=myClientID)(!(coreTokenString10=access_code)))” coreTokenString10
I am looking into below, but its returning user store details.
AMIdentity amIdentity = null;
amIdentity = AuthD.getAuth().getIdentity(IdType.USER, userName,
IdSearchResults searchResults = this.amIdentityRepo
.searchIdentities(IdType.USER, this.userName, idsc);
Does anyone have the sample code to connect to opendj and retrieve the above token details from config store or CTS store? I don’t want to manage the opendj connection with in mycode, if we have any connection factory available on openam code, that I can user then its will be very helpful.
Biswajit SahooApril 18, 2018 at 5:55 pm #21525domingos.creadoParticipant
Have you tried the token administration endpoints provided by openam?
there are endpoints to query the existing tokens for a username and a revoke specific token.
you can find more details on OAuth2 guide:
https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/index.html#rest-api-oauth2-token-admin-endpointApril 19, 2018 at 8:02 am #21529
We are using openam 13.5.0 the endpoint (/frrest/oauth2/token) depend on amadmin token and it has some defect associated to it.
So we thought we will directly fetch the details from Dj for the user and use revoke endpoint to revoke the details.
Do you know any of the class which connect to opendj with basedn of config store from openam?
BiswajitApril 19, 2018 at 6:01 pm #21535
I have got the code to get the read the tokens , but its returning just DNs. Can anyone point out what is the wrong I am doing here?
Set<String> dns = SMSEntry.search(token, “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org”, “(&([email protected])(coreTokenType=OAUTH)(!(coreTokenString10=access_code)))” , 0, 0, false, false);
This just returning the list of DNs (coreTokenId=c9484576-9de9-44a4-8dd9-e4cbeefe62de,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org)
If I do as follow also its returning DNs
Iterator dns1 = SMSEntry.search(token, “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org”, “(&([email protected])(coreTokenType=OAUTH)(!(coreTokenString10=access_code)))” , 0, 0, false, false, null);
Result : SearchResultEntry(name=coreTokenId=c9484576-9de9-44a4-8dd9-e4cbeefe62de,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org, attributes=, controls=)
If I am running the command on Dj its showing other attributes
ldapsearch -h localhost-p 1389 -D “cn=Directory Manager” -w password -b “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=org” “(&([email protected])(coreTokenType=OAUTH)(!(coreTokenString10=access_code)))”
coreTokenString03: [email protected]
Please can anyone help me here.
BiswajitApril 20, 2018 at 2:25 am #21536handatParticipant
Try passing in an empty Set instead of null to the searchApril 26, 2018 at 10:13 am #21599
That doesn’t help, So I have written my own class by extending the SMSLdapObject class and now I am able to get the details.
BiswajitSeptember 18, 2019 at 3:11 pm #26510mhamdyParticipant
Would you please tell me how you revoked the refresh token when the password changed?September 18, 2019 at 3:36 pm #26511
You need to capture all the Refresh Token from the DJ for that user and Revoke the to token by call revoke endpoint
You must be logged in to reply to this topic.