When we implement claim based single sign on then how does an issuer maintains the list of tokens it allots to a particular user for an application?
What about the time period, for which the token issued is valid?
Suppose a token is granted for one application1, if the user wants to shift to another application2 then for how much time that token will be valid, is there some expiration time?
When we implement claim based single sign on then how does an issuer maintains
Share
You didn’t define any tooling so I would assume it is your own sso solution and in that regards you have multiple solutions.
There are two steps: Authentication (that’s sso itself with a date check) and Authorization (that’s which app can I access)
What you are describing are roles. roles associate a user to a list of privileges (like acces to App1 and App2, but not App3) and those are typically defined in the database. The “userId” and the token expiration however are typically part of the token itself.
For instance, you could take the userId + a timestamp and encrypt it. upon each communication with the server, the token is deciphered, the timestamp range is validated (that’s authentication), the userid is looked up to figure what roles is has (that’s authorization)
I would recomment regenerating the token on every round trip and give it a small validity periode.