Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7048

coreTokenExpirationDate for OIDC tokens is specified in seconds instead of milliseconds

    Details

    • Sprint:
      AM Sustaining Sprint 13
    • Support Ticket IDs:

      Description

      Steps to reproduce:

      • Set up your OpenAM as an OIDC provider
      • try to obtain an id_token as an end_user, for example:
        http://openam.example.com:8080/openam/oauth2/authorize?response_type=id_token%20token&client_id=myclient&realm=%2F&scope=openid%20profile&redirect_uri=http://localhost&nonce=foo
        

      Once you received the id_token, browse CTS for a corresponding token entry:

      dn: coreTokenId=fe111217-0c19-4b36-b729-2d19b01951a7,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
      objectClass: top
      objectClass: frCoreToken
      coreTokenType: OAUTH
      coreTokenId: fe111217-0c19-4b36-b729-2d19b01951a7
      coreTokenExpirationDate: 19700117181327.083+0100
      coreTokenObject: {"id":["fe111217-0c19-4b36-b729-2d19b01951a7"],"ops":["AQIC5wM2LY4SfczbLfr4uTcoUtNItjP8U3YBOfx5Z5DjigU.*AAJTSQACMDEAAlNLABMxMTY5NTIzMDUyMzc4NDc3NDEzAAJTMQAA*"],"expireTime":["1444407083"]}
      

      As it can be seen the coreTokenExpirationDate is set to 1970, which means that CTS reaper within a minute will remove that token straight away (check CTS access logs for that).

      The OpenID Connect specification define that the expiration date should be in seconds so we need to:

      • store the expiration date in seconds in the ID Token
      • set the token expiration date for the CTS in milliseconds.

      Because of this bug, you won't be able to end the session.

      The curl command

      curl --header "Authorization: Bearer <access_token_from_previous_step>" <OPENAM_BASE_URL>/oauth2/connect/endSession?id_token_hint=<id_token_from_previous_step>
      

      will return

      {
        "error": "server_error",
        "error_description": "Unable to get id_token meta data"
      }
      

      A solution could be:

      OpenAMTokenStore.java
                  tokenStore.create(json(object(
                          field(OAuth2Constants.CoreTokenParams.ID, set(opsId)),
                          field(OAuth2Constants.JWTTokenParams.OPS, set(ops)),
                          field(OAuth2Constants.CoreTokenParams.EXPIRE_TIME, set(Long.toString(exp * 1000))))));
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: