Versions Compared

Old Version 13

changes.mady.by.user Milton Suen

Saved on

compared with

New Version Current

changes.mady.by.user Bala Harish A(AC)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typelist
printablefalse

Listing Authentication Tokens

Perform a GET on the token path using an existing authentication token or using HTTP basic authentication to validate the request to list active authentication tokens.

...

Code Block
GET http://{domain}/_admin/manage/tenants/tenant256/tokens/
Authorization: Basic Z2NhcmxpbjpmdW5ueQ==

Removing an Authentication Token

Perform a DELETE on the full token path and authenticate the request with a token or with HTTP basic authentication to logout and remove an authentication token.

...

Code Block
languagexml
DELETE http://{domain}/.TOKEN/53dfb96dc6d5b9cacd174e3649cba6d5
Cookie: token=53dfb96dc6d5b9cacd174e3649cba6d5

HTTP/1.1 200 OK
Gateway-Request-Id: 9855371AA8411781
Set-Cookie: token=; path=/
Content-Length: 0
Info

Note

The operation must be authenticated using either the token within a Cookie header or by using a valid user and password in an Authentication header with the request when using the token in the URI path. The audit log reflects the name of user that owns the token if the cookie is used or the name of the authenticated user if HTTP basic authentication is used.

Clearing Tokens for Locked Accounts

Gateway allows unexpired tokens to continue to work for locked accounts because identity management systems are poor at signalling that an account has been locked. The token stops working as soon as it expires from cache for a removed account.

...

  1. Standardize an attribute within one of the schemas that apply to the user record for which enabled user accounts always have set to a known value. 

  2. Design a test for the value. 

Info

Tip

Although negative test can be used to find disabled accounts, there is less risk of mistakes with the affirmative method: attribute is value.

Use the pwdPolicy schema with the pwdLockout attribute and use the userFilter to require the pwdLockout attribute to be true.

Token Examples

The token administrator defined in the root IDSYS configuration file is allowed to use the x-owner-meta argument to perform token listing for any user. Administrators wishing to disable a user account and log them out of the system can do so by locking the LDAP account and then removing any existing authentication tokens for the user.

...

Notice the token administrator lists tokens the same way any user does and is able to specify an arbitrary user with the x-owner-meta query argument. The delete operation is the same pattern whether performed by the user or the token administrator.

Infotip

Best

practice

Practice

Use the token administrator's credentials when accessing or deleting tokens for other users so the audit log reflects the token administrator performed the operations.

...