Cybersecurity
DevOps Cloud
IT Operations Cloud
Summary
Explanation for Oauth client secret expire setting
Products
Access Manager (NAM)
Environment
Access Manager Version 5.0.3 and previous versions.
Situation
When a new client was created with an api it was observed in the output that there was a field called clientSecretExpiresAt= with a UNIX timestamp in SECONDS SINCE JAN 01 1970.
When the timestamp was calculated with a unix timestamp converter it was set to 24 hours from the time the client secret was created.
This raised questions if secret would still be valid after 24 hours.
In the attribute called nidsOAuthClientXML you can see the fields called clientIdIssuedAt and clientSecretExpiresAt which are the relevant fields (see below screenshot)
This will not show in the administration console as fields you can set a value for.
Cause
In initial development phase the fields where part of the oauth specification but have never have been used effectively.
There is no code in place that will check and invalidate the client secret when the date and time as set in the clientSecretExpiresAt attribute has been reached.
Additional Information
Reported to engineering
URL Name
KM000016164