Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7158

JWT token lifetime is read in milliseconds instead of seconds

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.3
    • Fix Version/s: 12.0.3
    • Component/s: oauth2
    • Labels:
    • Support Ticket IDs:

      Description

      Since OPENAM-7048, the "forgerock-oauth2-provider-jwt-token-lifetime" is not read in seconds but milliseconds.
      By default, the life time is 600, which is read as 600 ms instead of 600 seconds.

      To reproduce the issue:

       curl \
       --request POST \
       --data "client_id=myClientID&client_secret=changeit&grant_type=password&username=demo&password=changeit&scope=openid+profile" \
       http://openam.example.com:28080/openam/oauth2/access_token
       
       
       
      {"scope":"openid profile","expires_in":599,"token_type":"Bearer","id_token":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiMDgzYzIxMDYtMTg5ZC00NDg2LWE3M2MtZDY5MjRjOTM3MGE5IiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJteUNsaWVudElEIiwgInN1YiI6ICJkZW1vIiwgImF0X2hhc2giOiAiZXRTMlppTWV0UHpOcWtySXJCNmlPQSIsICJpc3MiOiAiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbToyODA4MC9vcGVuYW0vb2F1dGgyIiwgImlhdCI6IDE0NDUyNjc2MjQsICJhdXRoX3RpbWUiOiAxNDQ1MjY3NjI0LCAiZXhwIjogMTQ0NTI2ODIyNCwgInRva2VuVHlwZSI6ICJKV1RUb2tlbiIsICJyZWFsbSI6ICIvIiwgImF1ZCI6IFsgIm15Q2xpZW50SUQiIF0sICJvcHMiOiAiZTc0ZDUxNjMtMjgwMi00OWJmLWFlZWItNTgxZGUxNTZhYzg0IiB9.DmWq8iNyYRBc4_6YoI-0If7DRKRre7vPGLP2_SoiGK_xzbggF3Zlijl78LtSS3MT4Iooz63TKWEGacUrjFZm5l9nvNY8UBD1u2RwfXfgV8KZIR3-KB6bV9XgFyMJuqsx2wdRhbot_wstUEvRAVslMuR_s_fc7Gtjcm7Rhi5ZS0I","access_token":"f232708f-df07-4853-8f2b-c4d1147aafbf"}
      
      

      wait a few seconds, or OpenAM won't have time to clean the id token

        curl \
       --request GET \
       --header "Authorization: Bearer f232708f-df07-4853-8f2b-c4d1147aafbf" \
       http://openam.example.com:28080/openam/oauth2/connect/endSession?id_token_hint=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiMDgzYzIxMDYtMTg5ZC00NDg2LWE3M2MtZDY5MjRjOTM3MGE5IiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJteUNsaWVudElEIiwgInN1YiI6ICJkZW1vIiwgImF0X2hhc2giOiAiZXRTMlppTWV0UHpOcWtySXJCNmlPQSIsICJpc3MiOiAiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbToyODA4MC9vcGVuYW0vb2F1dGgyIiwgImlhdCI6IDE0NDUyNjc2MjQsICJhdXRoX3RpbWUiOiAxNDQ1MjY3NjI0LCAiZXhwIjogMTQ0NTI2ODIyNCwgInRva2VuVHlwZSI6ICJKV1RUb2tlbiIsICJyZWFsbSI6ICIvIiwgImF1ZCI6IFsgIm15Q2xpZW50SUQiIF0sICJvcHMiOiAiZTc0ZDUxNjMtMjgwMi00OWJmLWFlZWItNTgxZGUxNTZhYzg0IiB9.DmWq8iNyYRBc4_6YoI-0If7DRKRre7vPGLP2_SoiGK_xzbggF3Zlijl78LtSS3MT4Iooz63TKWEGacUrjFZm5l9nvNY8UBD1u2RwfXfgV8KZIR3-KB6bV9XgFyMJuqsx2wdRhbot_wstUEvRAVslMuR_s_fc7Gtjcm7Rhi5ZS0I
      
      
      
      {
        "error": "server_error",
        "error_description": "Unable to get id_token meta data"
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: