• Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.1.0
    • Component/s: oauth2
    • Labels:
    • Target Version/s:
    • Story Points:


      Bug description

      The grant set that is first looked up for a request to /oauth2{REALM}access_token by the first read of an access_token is then cached on the request itself under the GRANT_SET context. So when another access_token is looked up it loads up the grant set that only contains the first grant, and not the new grant, and so it falls over. There’s no current way to tell the grant set handler to not cache on a read, so manually removing the GRANT_SET context from the request which is set by the cache mechanism is the only way to force it read the correct grant set for the second read request.

      This is not normally a problem as only a single access token is accessed on single request, however now that we are implementing delegated token exchange there should be a way to tell AM not to check the cache for the grant set as this involves 2 access tokens.

      How to reproduce the issue

      To recreate the error the TestTokenExchange functional test should be run, you will see a failure similar to below:
      when a client is configured to use token exchange
      when using OAuth2 grant set storage scheme
      when using stateful OAuth2
      when The client is delegating a subject token to an actor token
      when subject token has the actor token's subject in its may_act field and no modifications are requested

      Expected behaviour
      All stages of TestTokenExchange pass.
      Current behaviour
        <{"error"="invalid_grant", "error_description"="The provided access grant is invalid, expired, or revoked."}>
      not to contain keys:
        <["error", "error_description"]>
      	at com.forgerock.openam.functionaltest.api.oauth2.parsing.tokenexchange.TokenExchange.<init>(
      	at com.forgerock.openam.functionaltest.api.oauth2.parsing.tokenexchange.TokenExchangeFlow.perform(
      	at com.forgerock.openam.functionaltest.oauth2.TestTokenExchange.<cuppa test>(

      Work around

      Set the following in the request sent to AM:
      request.setContextFor(OAuth2Request.ContextKey.GRANT_SET, null);

      Code analysis

      The CacheStrategy should be passed to getGrantSetByTokenId (see below) so that the cached GrantSet is ignored.
          protected GrantSet getGrantSetByTokenId(OAuth2Request request, String tokenId)
                  throws ServerException, InvalidGrantException, NotFoundException {
              Optional<GrantSet> cachedGrantSet = request.getContextFor(GRANT_SET, GrantSet.class);
              if (cachedGrantSet.isPresent()) {
                  return cachedGrantSet.get();
              GrantSet grantSet = readGrantSetByTokenId(request, tokenId);
              request.setContextFor(GRANT_SET, grantSet);
              return grantSet;




            • Assignee:
              isaac.taylor Isaac Taylor
              isaac.taylor Isaac Taylor
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: