Skip to content
Connect2id

Authorisation store

The Connect2id server has a dedicated authorisation store to track or persist the following OAuth 2.0 objects:

  • Authorisation codes, until they get exchanged for a token, or expire.

  • Identifier-based access tokens, until they expire or get revoked. Self - contained (JWT-encoded) are not saved on the server.

  • Refresh tokens, until they get revoked or expire (unless the refresh token is permanent).

  • Long-lived (persisted) OAuth 2.0 authorisations, to remember previously given consent by end-users to clients, until the authorisation gets revoked.

  • Revocation journal entries.

The authorisation store configuration is located in the following file:

WEB-INF/authzStore.properties

The configuration properties are split into four sections:

  1. Web API settings
  2. Authorisation code settings
  3. Access token settings
  4. Refresh token settings
  5. Miscellaneous options

Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup:

-DauthzStore.code.lifetime=1200

The external configuration guide has tips for setting system properties from environment variables, local files and other locations.

1. Web API

authzStore.apiAccessToken

The access token for the web API of the authorisation store. It is of type Bearer and non-expiring. Must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If blank (unspecified) the web API will be disabled.

authzStore.apiAccessToken = ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

2. Authorisation code

The authzStore.code.* group contains a single property which sets the lifetime of issued authorisation codes.

authzStore.code.lifetime

The authorisation code lifetime in seconds. Should be long enough to permit a client to make a token request to exchange the code for an ID / access token. Must not be shorter than 60 seconds (1 minute) or longer than 600 seconds (10 minutes).

authzStore.code.lifetime = 600

3. Access token

The authzStore.accessToken.* properties set the default preferences of issued OAuth 2.0 access tokens such as lifetime and encoding.

authzStore.accessToken.defaultLifetime

The default access token lifetime in seconds. Can be overridden by individual authorisations. Must be a positive integer.

authzStore.accessToken.defaultLifetime = 600

authzStore.accessToken.jwsAlgorithm

The JSON Web Signature (JWS) algorithm for signing the self-contained (JWT-encoded) access tokens. Must be a valid and supported RSA-SSA JWS algorithm:

  • RS256 (recommended)
  • RS384
  • RS512
  • PS256
  • PS384
  • PS512
authzStore.accessToken.jwsAlgorithm = RS256

authzStore.accessToken.jweAlgorithm

The JSON Web Encryption (JWE) algorithm for the self-contained (JWT-encoded) access tokens which are encrypted after signing. Only direct encryption (dir) with a shared key is supported.

  • dir
authzStore.accessToken.jweAlgorithm = dir

authzStore.accessToken.jweMethod

The JSON Web Encryption method for the self-contained (JWT-encoded) access tokens which are encrypted after signing. Must be a valid and supported JWE method.

  • A128GCM (recommended)
  • A192GCM
  • A256GCM
  • A128CBC_HS256
  • A192CBC_HS384
  • A256CBC_HS512
authzStore.accessToken.jweMethod = A128GCM

authzStore.accessToken.jtiByteLength

The size in bytes of the generated (using a secure function) identifiers (see jti claim) in self-contained (JWT-encoded) access tokens. Must be at least 8 bytes long to minimise the likelihood of identifier collision.

authzStore.accessToken.jtiByteLength = 8

authzStore.accessToken.allowDirectInspection

If true an access token can be inspected without presenting the master Bearer access token to the authorisation store web API.

authzStore.accessToken.allowDirectInspection = false

4. Refresh token

The authzStore.refreshToken.* properties set the default preferences of issued OAuth 2.0 refresh tokens.

authzStore.refreshToken.alwaysUpdate

If true causes the refresh token to be updated on each authorisation update and on each refresh token use. Defaults to false (no update). Since v6.13.

authzStore.refreshToken.alwaysUpdate = false

5. Authorisation store options

The authzStore.options.* properties contains two settings.

authzStore.options.highlyAvailableMode

With an enabled highly-available mode the authorisation store will continue providing basic service even if the backend database is down or disconnected. The required data will be served from the caches if possible and database connection exceptions will not cause requests to fail (they will be logged at ERROR level however).

authzStore.options.highlyAvailableMode = true

authzStore.options.discardedAttributes

List of the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and back-end storage.

authzStore.options.discardedAttributes =