Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7482

Access_token request (grant_type authorization_code) generates an unnecessary fourth token in the CTS

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.2, 13.0.0
    • Fix Version/s: 12.0.3, 13.0.0
    • Component/s: None
    • Labels:
    • Sprint:
      Sprint 99 - Team Tesla

      Description

      Doing the same sequence to generate an oauth2/OIDC token (sso login, oautht2/authorize, access_token with authz code), 4 tokens are created on DJ CTS side.

      First 3 tokens appear to be access, refresh and openid tokens, but the fourth is unexpected (and look unnecessary). See AME-9139. Ex:

      dn: coreTokenId=99224a00-89a9-44e9-b24e-2f38e1cfea81,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenObject: {"id":["99224a00-89a9-44e9-b24e-2f38e1cfea81"],"ops":["AQIC5wM2
       LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEAAlNLABI5ODQwMDcwNzQ2NjEzOD
       c4MzIAAlMxAAA.*"],"expireTime":["1447839932000"]}
      coreTokenType: OAUTH
      coreTokenExpirationDate: 20151118104532+0100
      coreTokenId: 99224a00-89a9-44e9-b24e-2f38e1cfea81
      

      This has a significant impact on performance, especially with bigger deployments.

      The same problem can either be reproduced with AM 13.0.0 and 12.0.2.

      Here are the complete 4 tokens which can be found at the end of the sequence with both versions:
      With AM13.0.0:

      dn: coreTokenId=e853fe71-46ed-42bb-90f4-6b9f1948a0fa,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenObject: {"redirectURI":["http://fake.com"],"clientID":["clientOIDC"],"a
       uditTrackingId":["36e62357-61d3-4b86-9730-8bc79788f9b5"],"tokenName":["refresh_
       token"],"authModules":["LDAP"],"userName":["user.0"],"acr":[],"expireTime":["14
       47839932594"],"grant_type":["authorization_code"],"scope":["openid"],"realm":["
       /myrealm"],"id":["e853fe71-46ed-42bb-90f4-6b9f1948a0fa"],"tokenType":["Bearer"]
       }
      coreTokenString08: /myrealm
      coreTokenString07: Bearer
      coreTokenType: OAUTH
      coreTokenString09: clientOIDC
      coreTokenString10: refresh_token
      coreTokenExpirationDate: 20151118104532.594+0100
      coreTokenId: e853fe71-46ed-42bb-90f4-6b9f1948a0fa
      coreTokenString12: authorization_code
      coreTokenString01: openid
      coreTokenString04: http://fake.com
      coreTokenString03: user.0
      
      dn: coreTokenId=adb35440-cf4f-482d-9ab2-f06274cec3a5,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenString11: -empty-
      coreTokenString10: access_token
      coreTokenString02: eb848e6c-526c-4a0c-a248-dfec1f1c80f8
      coreTokenExpirationDate: 20151118103632.597+0100
      coreTokenString12: authorization_code
      coreTokenString01: openid
      coreTokenString04: http://fake.com
      coreTokenString03: user.0
      coreTokenString05: e853fe71-46ed-42bb-90f4-6b9f1948a0fa
      coreTokenObject: {"redirectURI":["http://fake.com"],"parent":["eb848e6c-526c-4a0
       c-a248-dfec1f1c80f8"],"clientID":["clientOIDC"],"auditTrackingId":["d11020eb-5e
       1f-46c1-9fd9-c0305615fa36"],"tokenName":["access_token"],"userName":["user.0"],
       "nonce":[],"expireTime":["1447839392597"],"grant_type":["authorization_code"],"
       scope":["openid"],"realm":["/myrealm"],"id":["adb35440-cf4f-482d-9ab2-f06274cec
       3a5"],"tokenType":["Bearer"],"refreshToken":["e853fe71-46ed-42bb-90f4-6b9f1948a
       0fa"]}
      coreTokenString08: /myrealm
      coreTokenString07: Bearer
      coreTokenType: OAUTH
      coreTokenString09: clientOIDC
      coreTokenId: adb35440-cf4f-482d-9ab2-f06274cec3a5
      
      dn: coreTokenId=eb848e6c-526c-4a0c-a248-dfec1f1c80f8,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenString11: -empty-
      coreTokenString10: access_code
      coreTokenString13: AQIC5wM2LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEA
       AlNLABI5ODQwMDcwNzQ2NjEzODc4MzIAAlMxAAA.*
      coreTokenExpirationDate: 20151118103632.578+0100
      coreTokenString01: openid
      coreTokenString04: http://fake.com
      coreTokenString03: user.0
      coreTokenString06: true
      coreTokenObject: {"redirectURI":["http://fake.com"],"clientID":["clientOIDC"],"s
       soTokenId":["AQIC5wM2LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEAAlNLA
       BI5ODQwMDcwNzQ2NjEzODc4MzIAAlMxAAA.*"],"tokenName":["access_code"],"authModules
       ":["LDAP"],"code_challenge_method":[],"userName":["user.0"],"nonce":[],"acr":[]
       ,"expireTime":["1447839392578"],"scope":["openid"],"claims":[null],"realm":["/m
       yrealm"],"id":["eb848e6c-526c-4a0c-a248-dfec1f1c80f8"],"tokenType":["Bearer"],"
       code_challenge":[],"issued":["true"]}
      coreTokenString08: /myrealm
      coreTokenString07: Bearer
      coreTokenType: OAUTH
      coreTokenString09: clientOIDC
      coreTokenId: eb848e6c-526c-4a0c-a248-dfec1f1c80f8
      
      dn: coreTokenId=99224a00-89a9-44e9-b24e-2f38e1cfea81,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenObject: {"id":["99224a00-89a9-44e9-b24e-2f38e1cfea81"],"ops":["AQIC5wM2
       LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEAAlNLABI5ODQwMDcwNzQ2NjEzOD
       c4MzIAAlMxAAA.*"],"expireTime":["1447839932000"]}
      coreTokenType: OAUTH
      coreTokenExpirationDate: 20151118104532+0100
      coreTokenId: 99224a00-89a9-44e9-b24e-2f38e1cfea81
      

      With AM12.0.2:

      dn: coreTokenId=4e0052ed-e8d0-4dd3-97a4-9dc4ae897be9,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenString11: -empty-
      coreTokenString10: access_token
      coreTokenExpirationDate: 20151118105212.556+0100
      coreTokenString02: 137b966c-6d50-4102-ab89-9f61a383b303
      coreTokenString01: openid
      coreTokenString12: authorization_code
      coreTokenString04: http://fake.com
      coreTokenString03: user.0
      coreTokenString05: b7e820f6-bce5-40c1-a547-6f9a5893b288
      coreTokenString08: myrealm
      coreTokenObject: {"redirectURI":["http://fake.com"],"parent":["137b966c-6d50-410
       2-ab89-9f61a383b303"],"clientID":["clientOIDC"],"tokenName":["access_token"],"u
       serName":["user.0"],"nonce":[],"expireTime":["1447840332556"],"grant_type":["au
       thorization_code"],"scope":["openid"],"realm":["myrealm"],"id":["4e0052ed-e8d0-
       4dd3-97a4-9dc4ae897be9"],"tokenType":["Bearer"],"refreshToken":["b7e820f6-bce5-
       40c1-a547-6f9a5893b288"]}
      coreTokenString07: Bearer
      coreTokenString09: clientOIDC
      coreTokenType: OAUTH
      coreTokenId: 4e0052ed-e8d0-4dd3-97a4-9dc4ae897be9
      
      dn: coreTokenId=b7e820f6-bce5-40c1-a547-6f9a5893b288,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenString08: myrealm
      coreTokenObject: {"redirectURI":["http://fake.com"],"acr":[],"clientID":["client
       OIDC"],"expireTime":["1447840872556"],"grant_type":["authorization_code"],"scop
       e":["openid"],"tokenName":["refresh_token"],"authModules":["LDAP"],"realm":["my
       realm"],"id":["b7e820f6-bce5-40c1-a547-6f9a5893b288"],"userName":["user.0"],"to
       kenType":["Bearer"]}
      coreTokenString07: Bearer
      coreTokenString09: clientOIDC
      coreTokenType: OAUTH
      coreTokenString10: refresh_token
      coreTokenExpirationDate: 20151118110112.556+0100
      coreTokenId: b7e820f6-bce5-40c1-a547-6f9a5893b288
      coreTokenString12: authorization_code
      coreTokenString01: openid
      coreTokenString04: http://fake.com
      coreTokenString03: user.0
      
      dn: coreTokenId=137b966c-6d50-4102-ab89-9f61a383b303,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenString11: -empty-
      coreTokenString10: access_code
      coreTokenExpirationDate: 20151118105212.530+0100
      coreTokenString13: AQIC5wM2LY4SfcznZEMp0PUePU5TSL8zdCM0Wjo5fKVlf50.*AAJTSQACMDEA
       AlNLABM2NjI3NjMzOTI4MDQyNTk4MDE5*
      coreTokenString01: openid
      coreTokenString04: http://fake.com
      coreTokenString03: user.0
      coreTokenString06: true
      coreTokenString08: myrealm
      coreTokenObject: {"redirectURI":["http://fake.com"],"clientID":["clientOIDC"],"s
       soTokenId":["AQIC5wM2LY4SfcznZEMp0PUePU5TSL8zdCM0Wjo5fKVlf50.*AAJTSQACMDEAAlNLA
       BM2NjI3NjMzOTI4MDQyNTk4MDE5*"],"tokenName":["access_code"],"authModules":["LDAP
       "],"userName":["user.0"],"nonce":[],"acr":[],"expireTime":["1447840332530"],"sc
       ope":["openid"],"realm":["myrealm"],"id":["137b966c-6d50-4102-ab89-9f61a383b303
       "],"tokenType":["Bearer"],"issued":["true"]}
      coreTokenString07: Bearer
      coreTokenString09: clientOIDC
      coreTokenType: OAUTH
      coreTokenId: 137b966c-6d50-4102-ab89-9f61a383b303
      
      dn: coreTokenId=1419ece0-b007-47f0-bf31-2c2c1be9e0ca,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenObject: {"id":["1419ece0-b007-47f0-bf31-2c2c1be9e0ca"],"ops":["AQIC5wM2
       LY4SfcznZEMp0PUePU5TSL8zdCM0Wjo5fKVlf50.*AAJTSQACMDEAAlNLABM2NjI3NjMzOTI4MDQyNT
       k4MDE5*"],"expireTime":["1447840872"]}
      coreTokenType: OAUTH
      coreTokenExpirationDate: 19700117191040.872+0100
      coreTokenId: 1419ece0-b007-47f0-bf31-2c2c1be9e0ca
      

        Attachments

          Activity

            People

            • Assignee:
              jamesphillpotts James Phillpotts
              Reporter:
              sberthol Sebastien Bertholet [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: