02-03-2023 11:34 PM
i have been doing some tests in lab, we have LDAP enabled users and
1.oauth refresh flow is disabled
2. access toekn by default expiry is 60mins
3. users have their LDAP credentials setup under webex phone services
My observation has been that i don't get a prompt to reauthenticate to phone services after 60mins. This means that Oauth "access token" will only come in picture if we have "Oauth refresh login flow" enabled, with that disabled there is no Authorization flow. Am i correct in my assessment.
Solved! Go to Solution.
02-04-2023 02:11 PM
Conclusion is : Oauth has 2 flows, implicit and Oauth grant flow, implicit supports access token only with saml sso, hence if you have "oauth refresh login flow" disabled with SSO on access token will still come into picture, but if you have LDAP as authentication and " oauth refresh login flow" disabled, access token Authorization won't come into picture. LDAP only supports Oauth grant flow and that too from 12.x onwards.
02-03-2023 11:48 PM
here it says otherwise, based on this shouldn't i have been prompted for re-authentication?
02-04-2023 04:29 AM - edited 02-04-2023 04:31 AM
I read that statement to mean that the AuthZ service is running regardless of the OAuth refresh flow parameter as of that version but that Jabber will respect the OAuth parameter.
So, while that setting is off Jabber will use HTTP Basic authentication with the user’s credentials if SAML SSO is off.
Also, OAuth has two tokens: access and refresh. Refresh (60 day validity) is used to fetch access (60 minute validity) tokens. Neither will be used when that parameter is off.
Deploying OAuth with Cisco Collaboration Solution Release 12.0
02-04-2023 04:40 AM
02-04-2023 04:51 AM - edited 02-04-2023 04:52 AM
When SAML SSO is enabled - and Jabber no longer has user credentials - the user will have to authenticate with the IdP whenever the SAML cookie expires.
Just to be clear: if OAuth was enabled the user would only need to authenticate again when the refresh token expires.
02-04-2023 12:01 PM
so i tested it thrice, and it seems like access token expiry is kicking in
1. i got a phone session expired message on webex app, before i signed in i went to the enterprise parameter and set the access token to 80mins from 60mins , note : oauth refresh login is already set to disabled and SSO is enabled
2. then i signed into phone services and after exact 80mins , my phone session again expired and prompted me for login
above steps were tested 3 times, this means access token is kicking in even with "oauth refresh" set to disabled, then why not when i have SSO disabled and have just LDAP in use for phone creds. Oauth flow is supported both with LDAP and SAML from 12.0 onwards version.
02-04-2023 02:11 PM
Conclusion is : Oauth has 2 flows, implicit and Oauth grant flow, implicit supports access token only with saml sso, hence if you have "oauth refresh login flow" disabled with SSO on access token will still come into picture, but if you have LDAP as authentication and " oauth refresh login flow" disabled, access token Authorization won't come into picture. LDAP only supports Oauth grant flow and that too from 12.x onwards.
02-04-2023 02:50 AM - edited 02-04-2023 02:52 AM
As long as Jabber has a valid Refresh Token, Jabber automatically gets a new Auth Token in the background.
Only if the Refresh token has expired (e.g. when the user wasn't logged in Jabber for longer then the Refresh Expiry time), Jabber needs to re-authenticate again (e.g. via Username / Password), to get new Refresh and Auth Token.
Personally, I always set the Auth Token Expiry Timer to 1440 (the max.)
02-04-2023 02:54 AM
i know that, that is not what i asked.
Will access token or Oauth support only come into picture if you have "Oauth refresh flow set to enabled" bcoz i have it disabled and i didn't get the re-authentication prompt after 60mins of access token expiry
02-04-2023 03:43 AM
You asked, why you didn't get the re-auth prompt and I wrote, because you probably still have a valid Refresh token.
You only get the re-auth prompt if both Auth and Refresh Token have expired. No matter, if the "flow" is enabled or not.
There are a Cisco Docs, Cisco Live presentations, ... explaining that in details
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide