...
Once you configured the knox.token.hash.key
alias and optionally customized your token state service, you are all set to generate Knox tokens using the new Token Generation UI:
The following sections are displayed on the page:
- status bar: here you can see an informative message on the configured Token State backend. There are 3 different statuses:
- ERROR: shown in red. This indicates a problem with the service backend which makes the feature not work. Usually, this is visible when end-users configure JDBC token state service, but they make a mistake in their DB settings
- WARN: displayed in yellow (see above picture). This indicates that the feature is enabled and working, but there are some limitations
- INFO: displayed in green. This indicates when the token management backend is properly configured for HA and production deployments
- there is an information label explaining the purpose of the token generation page
- comment: this is an optional input field that allows end-users to add meaningful comments (mnemonics) to their generated tokens. The maximum length is 255 characters.
- the
Configured maximum lifetime
informs the clients about theknox.token.ttl
property set in thehomepage
topology (defaults to 120 days). If that property is not set (e.g. someone removes it from he homepage topology), Knox uses a hard-coded value of 30 seconds (aka. default Knox token TTL) - Custom token lifetime can be set by adjusting the days/hours/minutes spinners. The default configuration will yield one hour.
About the generated token TTL
Out of the box, Knox will display the custom lifetime spinners on the Token Generation page. However, they can be hidden by setting the knox.token.lifespan.input.enabled
property to false in the homepage topology. Given that possibility and the configured maximum lifetime the generated token can have the following TTL value:
- there is no configured token TTL and lifespan inputs are disabled -> the default TTL is used (30 seconds)
- there is configured TTL and lifespan inputs are disabled -> the configured TTL is used
- there is configured TTL and lifespan inputs are enabled and lifespan inputs result in a value that is less than or equal to the configured TTL -> the lifespan query param is used
- there is configured TTL and lifespan inputs are enabled and lifespan inputs result in a value that is greater than the configured TTL -> the configured TTL is used