AEM Authentication



Hello All,

We currently have AEM integrated with OpenID token using a custom AuthenticationHandler implementation. We do not have custom Login Module.

The implementation works fine. We are able to authenticate the user bases on the OpenID token and we create CRX session using:

TokenUtil.createCredentials(request, response, slingRepository, extractedUserID, true);

We have configured tokenExpiration as 15 minutes in Apache Jackrabbit Oak TokenConfiguration.

Token Expiration also works fine without any issues.

The issue we are facing is:

1. When User login occurs, the token gets created with 15 minute expiration limit.

2. Any user activity on the application does not seem to refresh the token. No matter what user does, after 15 minutes expires. This is not expected behaviour for us.

3. We do not want to use the tokenRefresh attribute within "Apache Jackrabbit Oak TokenConfiguration" as this seems to automatically refresh the token even if the user is inactive. The CSRF token heartbeat issued every 5 minutes from within the browser keeps refreshing the token and provides a prolonged session to the user. We do not want this behaviour.

Forcefully invoking:

TokenCookie.update(slingRequest, slingResponse, repositoryId, tc.getToken(), adminSession.getWorkspace().getName(), true);

does not make any difference. The Token is not refreshed.

Any help or pointers would be great.

Couple of questions based on my reading:

1. Should I have a custom Login Module ?

2. How can I refresh the Token programmatically?