Solved: Re: Oauth access tokens

ravi.pandey · ‎02-03-2023

i have been doing some tests in lab, we have LDAP enabled users and

1.oauth refresh flow is disabled

2. access toekn by default expiry is 60mins

3. users have their LDAP credentials setup under webex phone services

My observation has been that i don't get a prompt to reauthenticate to phone services after 60mins. This means that Oauth "access token" will only come in picture if we have "Oauth refresh login flow" enabled, with that disabled there is no Authorization flow. Am i correct in my assessment.

ravi.pandey · ‎02-04-2023

Conclusion is : Oauth has 2 flows, implicit and Oauth grant flow, implicit supports access token only with saml sso, hence if you have "oauth refresh login flow" disabled with SSO on access token will still come into picture, but if you have LDAP as authentication and " oauth refresh login flow" disabled, access token Authorization won't come into picture. LDAP only supports Oauth grant flow and that too from 12.x onwards.

View solution in original post

ravi.pandey · ‎02-03-2023

here it says otherwise, based on this shouldn't i have been prompted for re-authentication?

Jonathan Schulenberg · ‎02-04-2023

I read that statement to mean that the AuthZ service is running regardless of the OAuth refresh flow parameter as of that version but that Jabber will respect the OAuth parameter.

So, while that setting is off Jabber will use HTTP Basic authentication with the user’s credentials if SAML SSO is off.

Also, OAuth has two tokens: access and refresh. Refresh (60 day validity) is used to fetch access (60 minute validity) tokens. Neither will be used when that parameter is off.

Deploying OAuth with Cisco Collaboration Solution Release 12.0

ravi.pandey · ‎02-04-2023

Exactly Jonathan, if you read between the lines in some other docs, it says the process to enabled Oauth is by setting that parameter to enable(refresh login flow) . That is why with ldap and no sso on cucm am not prompted for authentication every 60mins.
Am also doing some more tests to validate this with sso enabled with azure as an IdP, and refresh login flow disabled on cucm. In last 2 hours, I’ve received phone reauthentication prompt twice, but i think it could be due to the fact that on azure i have a CA policy with “ sign in “ frequency set to 1 hr. To validate this further, in my next attempt I’ll raised the access token timer to 90mins when i login to see where the reauthentication is being triggered from( unfortunately I can’t change it on azure side bcoz am not ad admin).
Will post the result here

Jonathan Schulenberg · ‎02-04-2023

When SAML SSO is enabled - and Jabber no longer has user credentials - the user will have to authenticate with the IdP whenever the SAML cookie expires.

Just to be clear: if OAuth was enabled the user would only need to authenticate again when the refresh token expires.

ravi.pandey · ‎02-04-2023

so i tested it thrice, and it seems like access token expiry is kicking in

1. i got a phone session expired message on webex app, before i signed in i went to the enterprise parameter and set the access token to 80mins from 60mins , note : oauth refresh login is already set to disabled and SSO is enabled

2. then i signed into phone services and after exact 80mins , my phone session again expired and prompted me for login

above steps were tested 3 times, this means access token is kicking in even with "oauth refresh" set to disabled, then why not when i have SSO disabled and have just LDAP in use for phone creds. Oauth flow is supported both with LDAP and SAML from 12.0 onwards version.

ravi.pandey · ‎02-04-2023

Conclusion is : Oauth has 2 flows, implicit and Oauth grant flow, implicit supports access token only with saml sso, hence if you have "oauth refresh login flow" disabled with SSO on access token will still come into picture, but if you have LDAP as authentication and " oauth refresh login flow" disabled, access token Authorization won't come into picture. LDAP only supports Oauth grant flow and that too from 12.x onwards.

b.winter · ‎02-04-2023

As long as Jabber has a valid Refresh Token, Jabber automatically gets a new Auth Token in the background.

Only if the Refresh token has expired (e.g. when the user wasn't logged in Jabber for longer then the Refresh Expiry time), Jabber needs to re-authenticate again (e.g. via Username / Password), to get new Refresh and Auth Token.

Personally, I always set the Auth Token Expiry Timer to 1440 (the max.)

ravi.pandey · ‎02-04-2023

i know that, that is not what i asked.

Will access token or Oauth support only come into picture if you have "Oauth refresh flow set to enabled" bcoz i have it disabled and i didn't get the re-authentication prompt after 60mins of access token expiry

b.winter · ‎02-04-2023

You asked, why you didn't get the re-auth prompt and I wrote, because you probably still have a valid Refresh token.
You only get the re-auth prompt if both Auth and Refresh Token have expired. No matter, if the "flow" is enabled or not.

There are a Cisco Docs, Cisco Live presentations, ... explaining that in details