Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12067

Stateless refresh token revoke involves a large number of LDAP operations

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.5.1
    • Fix Version/s: 6.5.0
    • Component/s: CTS
    • Labels:
    • Target Version/s:
    • Sprint:
      2018.12 - Alcohol, 2018.13 - Cuneiform
    • Story Points:
      0.5

      Description

      When calling the revoke endpoint  (/oauth2/token/revoke) and revoking a refresh token (which also revokes the access token), there are a large number (8) LDAP operations that go into revoking the tokens. The LDAP operations associated with a revoke are:

       
      SEARCH for the grant token (coreTokenId=b2ab918f-1961-489f-ab09-0d7305ab5fea)
      DELETE the grant token
      ADD a blacklist entry for the grant token (coreTokenId=blacklist-oauth2-stateless-b2ab918f-1961-489f-ab09-0d7305ab5fea)
      SEARCH for associated tokens (coreTokenString15=afd308bc-ab6c-4a55-9589-09320e6f5252)
      ADD a blacklist entry for refresh token (coreTokenId=blacklist-oauth2-stateless-1ebb1958-a8db-40fc-806a-42b46a1ad884)
      DELETE the refresh token (coreTokenId=1ebb1958-a8db-40fc-806a-42b46a1ad884)
      ADD a blacklist entry for access token (coreTokenId=blacklist-oauth2-stateless-8212086a-4516-4999-b561-bfb82e72542a)
      DELETE the access token (coreTokenId=8212086a-4516-4999-b561-bfb82e72542a)
       
      In addition, revoking the refresh token does not reduce the number of tokens in the CTS as each token now has an associated blacklist entry which may cause unexpected growth of the CTS DB.
       
      DJ Log of operations is attached.
      Also attached is an ldif of CTS before and after
       j

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                craig.mcdonnell Craig McDonnell
                Reporter:
                bradley.tarisznyas Brad Tarisznyas
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: