Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11453

The OAuth2 Device Flow does not make effective use of the affinity based LB for the user_code

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 13.5.2, 14.5.0
    • Component/s: CTS, oauth2
    • Labels:
    • Needs backport:
      Yes
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      The OAuth2 device flow does not make effective use of the affinity based LB for the code (user_code) the user enters into their user-agent to link device with themselves. This means under load the user request could error as the original entry is created on another CTS node than that being searched against; resulting in a validation error.

      Specifically the user_code search looks like this:

       

      SEARCH REQ conn=330 op=60 msgID=61 base="ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com" scope=sub filter="(&(objectClass=frCoreToken)(coreTokenString14=yKO6mnyd))" attrs=“ALL"
      [27/Jul/2017:10:57:32 +0100] SEARCH RES conn=330 op=60 msgID=61 result=0 nentries=1 etime=1
      

       

      The search base DN is ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com, which means the request will always go to one specific CTS instance and this CTS instance may not have been the one where the original request was created on.

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              shokard Darinder Shokar
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: