Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12011

Session is not refreshed reliably when using oauth2/authorize endpoint

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 13.0.0, 13.5.1
    • 14.0.0, 14.5.0, 6.0.0
    • session
    • Rank:
      1|hzutm7:
    • AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49
    • 3
    • No
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      Session refresh during oauth2/authorize requests are not reliable

      This does not affect 14.0.0 (AM 5.0.0)

      How to reproduce the issue

      1. Install single OpenAM 13.5
      2. Configure sample openid client for implicit grant type
      3. change session idle max time to 15 minutes
      4. run the 2 scripts attached.

      The 1st script does the following:

      • Authenticate demo
      • wait 7.5 minutes
      • do an OIDC request. This should refresh idle time
      • wait 7.5 minutes, taking us to the initial expiry
      • do another OIDC request

      The 2nd script:

      • Authenticate demo
      • do an OIDC request every 4 minutes

      The final oauth2/authorize requests of the first script will fail, because the session has become invalid. 

       

      The final oauth2/authorize requests of the second script are successful, because the session is continually refreshed.

       

      Some minor modifications required to run scripts locally.

       

      Maximum Caching Time kept to default 3 mins. 

       

      Expected behaviour
      Authorize requests continue to succeed as the server-side session is continually refreshed
      
      Current behaviour
      Session times out and is destroyed, meaning users on the client app need to authenticate again
      

      Work around

      Make more frequent requests, possibly detrimental to performance and memory. 

      Code analysis

      WARNING: Error authenticating user against OpenAM:
      com.iplanet.sso.SSOException: Invalid session ID.AQIC5wM2LY4Sfczp71onT6-AvqraWMnOClHX2wBun7ATHys.*AAJTSQACMDEAAlNLABQtNzc4Mjg0NzgyODc3NDc1NDI4OQACUzEAAA..*
      at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:131)
      at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:298)
      at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.getResourceOwnerSession(ResourceOwnerSessionValidator.java:233)
      at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:45)
      at org.forgerock.oauth2.core.AuthorizationService.authorize(AuthorizationService.java:285)
      at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:171)
      at sun.reflect.GeneratedMethodAccessor61.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
      at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
      at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
      at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
      at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
      at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
      at org.restlet.resource.Finder.handle(Finder.java:236)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:121)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
      at org.restlet.Application.handle(Application.java:385)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.routing.Router.doHandle(Router.java:422)
      at org.restlet.routing.Router.handle(Router.java:639)
      at org.restlet.routing.Filter.doHandle(Filter.java:150)
      at org.restlet.routing.Filter.handle(Filter.java:197)
      at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      at org.restlet.Component.handle(Component.java:408)
      at org.restlet.Server.handle(Server.java:507)
      at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
      at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
      at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
      at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:130)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.FQDNValidationFilter.doFilter(FQDNValidationFilter.java:63)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      Caused by: com.iplanet.dpro.session.SessionException: Invalid session ID.AQIC5wM2LY4Sfczp71onT6-AvqraWMnOClHX2wBun7ATHys.*AAJTSQACMDEAAlNLABQtNzc4Mjg0NzgyODc3NDc1NDI4OQACUzEAAA..*
      at com.iplanet.dpro.session.Session.refresh(Session.java:1056)
      at org.forgerock.openam.session.SessionCache.getSession(SessionCache.java:300)
      at org.forgerock.openam.session.SessionCache.getSession(SessionCache.java:232)
      at org.forgerock.openam.session.SessionCache.getSession(SessionCache.java:217)
      at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:110)
      ... 82 more
      Caused by: com.iplanet.dpro.session.SessionException: Invalid session ID.AQIC5wM2LY4Sfczp71onT6-AvqraWMnOClHX2wBun7ATHys.*AAJTSQACMDEAAlNLABQtNzc4Mjg0NzgyODc3NDc1NDI4OQACUzEAAA..*
      at com.iplanet.dpro.session.service.SessionService.resolveToken(SessionService.java:614)
      at com.iplanet.dpro.session.service.SessionService.getSessionInfo(SessionService.java:848)
      at com.iplanet.dpro.session.operations.strategies.LocalOperations.refresh(LocalOperations.java:69)
      at com.iplanet.dpro.session.monitoring.MonitoredOperations.refresh(MonitoredOperations.java:58)
      at com.iplanet.dpro.session.Session.doRefresh(Session.java:1069)
      at com.iplanet.dpro.session.Session.access$300(Session.java:119)
      at com.iplanet.dpro.session.Session$2.run(Session.java:1045)
      at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:81)
      at com.iplanet.dpro.session.Session.refresh(Session.java:1042)
      ... 86 more
      

        Attachments

          Activity

            People

            lawrence.yarham Lawrence Yarham
            joe.starling Joe Starling
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: