Idea ID: 2872675

Make OAuth Grant attribute virtual / assign to any user store

Status : New Idea

We need the ability to configure OAuth and OIDC with grant revocation as writeable attribute on any user store. This is the attribute that has the default name nidsOAuthGrant. At our major NAM customer we use two user stores, AD and eDirectory, and have configured virtual attributes in NAM to allow claims to be pulled from either directory. Our NAM Identity Servers only have read permission to AD, and read/write to eDirectory. Because nidsOAuthGrant must be writeable, we can’t hold it in AD. Because authentication begins with AD, NAM seems to require nidsOAuthGrant to be defined as an LDAP attribute in AD.  Please can we hold it in eDirectory, perhaps as a virtual attribute or similar method?

Labels:

Configuration
  • Based on years of experience, customers with AD environment are not fond of extending schema. Also most of the customers do not want to give any write access to AM proxy user.

    I think storing OAuth information should not be dependent on target userstore. nidsOAuthGrant information should be stored in internal AM eDirectory, as AM is already able to store for example user's shared secrets.