Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6039

Asynchronous queue for OAuth2 Tokens can result in token validation failures

    Details

    • Sprint:
      Sprint 83 - Sustaining, Sprint 84 - Sustaining
    • Support Ticket IDs:

      Description

      CTS tokenstore internally uses blocking queues to distribute the Tasks to the task processors. On operations like Create, the tokenstore queues the request and returns the control to the calling method. In the following scenario this implementation doesnt work

      If Create request is executed on server 1 and read/update request is made on server 2 then its possible that request on server 2 is processed before request on server 1

      Our usage of OAuth involves 2 steps. 1) get access token and 2) use access token to authenticate users. With OpenAM 11 we have ~zero failure; with OpenAM 12, we are observing close to 1.2-1.3% authenticate failures due to the mentioned problem.

      We can't use affinity in this case as there is no session token used in either of the OAuth calls. The fix could be to wait for the operation to be completed by CTS before returning the response to the client. But doing so with current implementation simply negates the purpose of having queues at the first place. Given that, the correct fix in my opinion would be to replace the async CTS with sync CTS.

        Attachments

          Activity

            People

            • Assignee:
              peter.major Peter Major [X] (Inactive)
              Reporter:
              matthew.miller@forgerock.com Matt Miller [X] (Inactive)
            • Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 0h
                0h
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 13h
                13h