Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17349

OIDC Refresh token - Ops token is deleted from the CTS during refresh

    XMLWordPrintable

Details

    • Rank:
      1|hzk4d1:
    • AM Sustaining Sprint 82, AM Sustaining Sprint 83
    • 5
    • Yes
    • Yes and I used the same an in the description
    • 0
    • Future
    • None

    Description

      Bug description

      The Ops token is deleted during refresh in some cases (if you refresh very early, the Ops remains). This doesn't allow RP to request /endSession as the Ops token is gone.

      How to reproduce the issue

      1) Configure OIDC provider with OIDC lifetime 20s (also enable 'allow clients to skip consent')
      2) Configure OIDC client with auth code and refresh token flow enabled (also enable 'implied consent')
      3) Perform an Auth-Code flow and check the CTS for the Ops token, coreTokenType: OAUTH)
      4) After 10s, perform a Refresh token flow (note the opstoken claim exists with the same value as prior OIDC token)
      5) Check the DS CTS again, the Ops token entry is gone

      Re-try the flow and refresh after 5s, the Ops token remains.

      Expected behaviour
      Ops token should remain
      
      Current behaviour
      Ops token is deleted
      

       

      Code analysis

      Exception in the OAuth2Provider log:

      OAuth2Provider
      ...
      Destroying session using ops claim from ID TokenDestroying session using ops claim from ID TokenOAuth2Provider:01/29/2021 12:37:36:120 PM GMT: Thread[http-nio-48080-exec-29,5,main]: TransactionId[22cf7c40-bf2e-40f7-8e17-50da153f86e8-21165]ERROR: Unable to get id_token meta dataorg.forgerock.openam.cts.exceptions.CoreTokenException:CTS: Unable to find id_token at org.forgerock.openidconnect.OpenIDConnectProvider.destroySessionViaKey(OpenIDConnectProvider.java:101) at org.forgerock.openidconnect.OpenIDConnectEndSession.endSession(OpenIDConnectEndSession.java:74) at org.forgerock.openidconnect.restlet.EndSession.endSession(EndSession.java:107) at sun.reflect.GeneratedMethodAccessor131.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      ..
      OAuth2Provider:01/29/2021 12:37:36:128 PM GMT: Thread[http-nio-48080-exec-29,5,main]: TransactionId[22cf7c40-bf2e-40f7-8e17-50da153f86e8-21165]WARNING: Failure to destroy sessionorg.forgerock.oauth2.core.exceptions.ServerException: Unable to get id_token meta data at org.forgerock.openidconnect.OpenIDConnectProvider.destroySessionViaKey(OpenIDConnectProvider.java:112) at org.forgerock.openidconnect.OpenIDConnectEndSession.endSession(OpenIDConnectEndSession.java:74) at org.forgerock.openidconnect.restlet.EndSession.endSession(EndSession.java:107) at sun.reflect.GeneratedMethodAccessor131.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
      ..
      Caused by: org.forgerock.openam.cts.exceptions.CoreTokenException:CTS: Unable to find id_token at org.forgerock.openidconnect.OpenIDConnectProvider.destroySessionViaKey(OpenIDConnectProvider.java:101)

      Attachments

        Activity

          People

            lawrence.yarham Lawrence Yarham
            anastasios.kampas Anastasios Kampas
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: