Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13481

Stateless OAuth2 Client_credential grant/implicit type has long CTS token timeout


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.2, 5.5.1, 6.0.0,,,
    • Fix Version/s: 6.5.0
    • Component/s: CTS, oauth2, OpenID Connect
    • Labels:
    • Environment:
      Vanilla AM install
    • Support Ticket IDs:


      Bug description

      When using Stateless OAuth2 with client_credential/implicit grant type, the CTS token created is not using the access token timeout but is (access token timeout + refresh token timeout) when the OAuth2 has the "issue refresh token" enabled.


      As the client_credential grant or implicit does not issue refresh token and is nearly always short live and issue quite frequently, an expiry time with the 7 day refresh token will cause CTS the fill up and induce massive problems. [Impact]

      In short for grant type that DOES not generated refresh token, it seems the CTS grant token is set with the refresh token timeout (added to the access token value) (It is assuming some token refresh operation could later check the CTS grant which would not be the case since these grant does not do refresh token)

      Version affected and not affected.

      This problem is not there in 13.5.1 and see in 13.5.2 and also 6.0.0.x ( (for those tested)

      How to reproduce the issue

      1. Install AM 13.5.x/6.0.0.x
      2. Create a new test realm
      3. Using the OAuth2 Dashboard and create a new OAuth2 service (for /test realm)
      (MAKE SURE to CLICK "issue Refresh Token" as this is core to the issue).
      4. Set this to stateless OAuth2 (with all the defaults)
      5. Now create a new OAuth2 Agent (myClientId) - use whatever default
      6. Now access this OAuth2 application with a client_credential grant
      7. Check the created CTS OAUTH2_STATELESS_GRANT coreExpirationTime
      Notice it is 60 min + 64200 (7 days : using the refresh timeout)

      Expected behaviour
      OAUTH2_STATELESS_GRANT for client_credential grant type just have the specified access token timeout
      Current behaviour
      OAUTH2_STATELESS_GRANT for client_credential or implicit grant type (on CTS) is "access token timeout + refresh token timeout"

      Issue is not seen in 13.5.1 but in 13.5.2 and later AM (due to the change to optimize Stateless CTS)

      Work around

      May not be that great but since the conditions are

      1) OAuth2 "issue refresh token" is enabled
      2) refresh token timeout 642000 ( sec)

      so either if possible that other grant type is not used (or refresh token is not used) maybe one can try to workaround with one of the above settings to cause this not to come about.

      3) Otherwise, may external cleanup these CTS thru a external routine (assuming these token is distingushable (creationTime?) or realm or clientId.

      Code analysis

      private long getGrantExpiryTime(OAuth2ProviderSettings providerSettings,
              OpenIdConnectClientRegistration clientRegistration) throws ServerException {
          Duration accessTokenLifetime = getAccessTokenLifetime(providerSettings, clientRegistration);
          Duration expiryTime = Duration.millis(currentTimeMillis()).plus(accessTokenLifetime);
       if (providerSettings.issueRefreshTokens()) {
              Duration refreshTokenLifetime = getRefreshTokenLifetime(providerSettings, clientRegistration);
       if (refreshTokenLifetime.isShorterThan(Duration.ZERO)) {
       return -1;
              expiryTime = expiryTime.plus(refreshTokenLifetime);
       return expiryTime.getMillis();

      More or less like this for 13.5.2 to other version (although 6.x changes but the same logic not considering client_credential type) exists.


          Issue Links



              • Assignee:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: