Access Token

This feature is available from TSM version 54.1.0, and only in the Go SDK.

When creating a TSM client, you will have the option to authenticate using an Access Token. You will need to add section similar to this:

# Setting related to authentication of users based on OIDC Access Tokens.
[OIDCAccessTokenAuthentication]
  # List of supported OIDC issuer URLs.
  OIDCIssuers = []
  # Configuration for applications that are allowed to access the TSM
  [[OIDCAccessTokenAuthentication.AccessTokens]]
  # The name of the application to authenticate, must match audience (aud) in access token
    Audience = "application name"
  # The URL of the discovery document for this access token, used to retrieve the public key. Defaults to issuer + "/.well-known/openid-configuration".
    DiscoveryDocURL = issuer + "/.well-known/openid-configuration"
  [OIDCAccessTokenAuthentication.AccessTokens.claims]
    claim0 = "claim value 0"
  [OIDCAccessTokenAuthentication.AccessTokens.claims]
    claim1 = "claim value 1"
    claim2 = "claim value 2"

The TSM node(s) will then validate the Access Token by

  • Verifying the signature by getting the public key from the DiscoveryDocURL
  • If the exp-claim has been set, the expiration time will be compared to the current time on the TSM node, and authentication will be rejected if the token has expired. If the nodes and the identity provider are in different timezones, you need to make sure the expiration time is offset accordingly.
  • Comparing the claims in the Access Token to what has been specified in the configuration file for the TSM node

Note that the audience and the application name must match!

CAVEAT: Do not use the same Access Token for authenticating towards different TSM nodes. If you use this approach, you risk one node impersonating a user, by sending a received Access Tokento the other nodes.