<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00005zRaoOSASOkta Classic EngineOkta Integration NetworkAnswered2024-04-16T09:44:01.000Z2019-02-20T17:56:25.000Z2020-11-16T23:05:50.000Z

BrandonM.70172 (Customer) asked a question.

February 20, 2019 at 5:56 PM
SCIM 2.0 Test App (OAuth Bearer Token) - Token Rotation?

I'm setting up a new SCIM Integration using the OAuth Bearer Token template. I've noticed that the form only provides my the ability to add a Bearer Token for the SCIM API I'm interfacing with.

 

There's no where to add a client id, client secret or refresh token. How does the integration get a new token when the one I provide expires? Is an admin suppose to manually update these Bearer tokens? Or is the expectation that the SCIM client provides me a token that doesn't expire???

  • 4 answers
  • 2.13K views

  • andrei.aldea1.4721588181695305E12 (Okta, Inc.)

    Hi Brandon, 

     

    If you are looking at SCIM integration to enable Provisioning with Okta's Lifecycle Management (as described in this article https://www.okta.com/integrate/documentation/scim/), then I believe that the answer would be that the token is not expected to expire.

     

    I would, however, encourage you to open a Support ticket with us if you encounter any difficulties with the integration, to better leverage additional resources, such as our colleagues in Developer Support.

     

    Thank You,

     

    Andrei Aldea

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post

  • BrandonM.70172 (Customer)

    Not having a token expire seems like bad practice. If that token was compromised, an attacker would then have a lifetime to use it.

     

     

     

    Section 7.4 of the SCIM 2.0 spec actually requires tokens to expire:

    https://tools.ietf.org/html/rfc7644#section-7.4

     

    Bearer tokens MUST have a limited lifetime that can be determined

    directly or indirectly (e.g., by checking with a validation service)

    by the service provider. By expiring tokens, clients are forced to

    obtain a new token (which usually involves re-authentication) for

    continued authorized access. For example, in OAuth 2.0, a client MAY

    use OAuth token refresh to obtain a new bearer token after

    authenticating to an authorization server.

     

     

     

     

     

    Expand Post

  • LauraW.45731 (Customer)

    I agree, this seems like bad practice to never have the token expire. Are there any plans to expand this to allow requesting a new token when it has expired? Or is there another way to implement a SCIM application so I can provide a client id and secret and it can get the token when needed?

  • 5z8aq (5z8aq)

    Since this has no answer, even though it's quite old I'll add one for folks hitting this from Google.

     

    When using the "OAuth Bearer Token template" you have to provide a static access token. However, when you actually go to submit the application to the OIN you will provide the client id/secret and the app that is built will automatically get and refresh tokens via OAuth2.

     

    There is no way to build the template application using an automated flow though, which is a bit annoying but understandable.

    Expand Post
This question is closed.
Loading
SCIM 2.0 Test App (OAuth Bearer Token) - Token Rotation?