Major Doing the same sequence to generate an oauth2/OIDC token (sso login, oautht2/authorize, access_token with authz code), 4 tokens are created on DJ CTS side.
First 3 tokens appear to be access, refresh and openid tokens, but the fourth is unexpected (and look unnecessary). See AME-9139. Ex:
dn: coreTokenId=99224a00-89a9-44e9-b24e-2f38e1cfea81,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["99224a00-89a9-44e9-b24e-2f38e1cfea81"],"ops":["AQIC5wM2
LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEAAlNLABI5ODQwMDcwNzQ2NjEzOD
c4MzIAAlMxAAA.*"],"expireTime":["1447839932000"]}
coreTokenType: OAUTH
coreTokenExpirationDate: 20151118104532+0100
coreTokenId: 99224a00-89a9-44e9-b24e-2f38e1cfea81
This has a significant impact on performance, especially with bigger deployments.
The same problem can either be reproduced with AM 13.0.0 and 12.0.2.
Here are the complete 4 tokens which can be found at the end of the sequence with both versions:
With AM13.0.0:
dn: coreTokenId=e853fe71-46ed-42bb-90f4-6b9f1948a0fa,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["http://fake.com"],"clientID":["clientOIDC"],"a
uditTrackingId":["36e62357-61d3-4b86-9730-8bc79788f9b5"],"tokenName":["refresh_
token"],"authModules":["LDAP"],"userName":["user.0"],"acr":[],"expireTime":["14
47839932594"],"grant_type":["authorization_code"],"scope":["openid"],"realm":["
/myrealm"],"id":["e853fe71-46ed-42bb-90f4-6b9f1948a0fa"],"tokenType":["Bearer"]
}
coreTokenString08: /myrealm
coreTokenString07: Bearer
coreTokenType: OAUTH
coreTokenString09: clientOIDC
coreTokenString10: refresh_token
coreTokenExpirationDate: 20151118104532.594+0100
coreTokenId: e853fe71-46ed-42bb-90f4-6b9f1948a0fa
coreTokenString12: authorization_code
coreTokenString01: openid
coreTokenString04: http://fake.com
coreTokenString03: user.0
dn: coreTokenId=adb35440-cf4f-482d-9ab2-f06274cec3a5,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: -empty-
coreTokenString10: access_token
coreTokenString02: eb848e6c-526c-4a0c-a248-dfec1f1c80f8
coreTokenExpirationDate: 20151118103632.597+0100
coreTokenString12: authorization_code
coreTokenString01: openid
coreTokenString04: http://fake.com
coreTokenString03: user.0
coreTokenString05: e853fe71-46ed-42bb-90f4-6b9f1948a0fa
coreTokenObject: {"redirectURI":["http://fake.com"],"parent":["eb848e6c-526c-4a0
c-a248-dfec1f1c80f8"],"clientID":["clientOIDC"],"auditTrackingId":["d11020eb-5e
1f-46c1-9fd9-c0305615fa36"],"tokenName":["access_token"],"userName":["user.0"],
"nonce":[],"expireTime":["1447839392597"],"grant_type":["authorization_code"],"
scope":["openid"],"realm":["/myrealm"],"id":["adb35440-cf4f-482d-9ab2-f06274cec
3a5"],"tokenType":["Bearer"],"refreshToken":["e853fe71-46ed-42bb-90f4-6b9f1948a
0fa"]}
coreTokenString08: /myrealm
coreTokenString07: Bearer
coreTokenType: OAUTH
coreTokenString09: clientOIDC
coreTokenId: adb35440-cf4f-482d-9ab2-f06274cec3a5
dn: coreTokenId=eb848e6c-526c-4a0c-a248-dfec1f1c80f8,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: -empty-
coreTokenString10: access_code
coreTokenString13: AQIC5wM2LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEA
AlNLABI5ODQwMDcwNzQ2NjEzODc4MzIAAlMxAAA.*
coreTokenExpirationDate: 20151118103632.578+0100
coreTokenString01: openid
coreTokenString04: http://fake.com
coreTokenString03: user.0
coreTokenString06: true
coreTokenObject: {"redirectURI":["http://fake.com"],"clientID":["clientOIDC"],"s
soTokenId":["AQIC5wM2LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEAAlNLA
BI5ODQwMDcwNzQ2NjEzODc4MzIAAlMxAAA.*"],"tokenName":["access_code"],"authModules
":["LDAP"],"code_challenge_method":[],"userName":["user.0"],"nonce":[],"acr":[]
,"expireTime":["1447839392578"],"scope":["openid"],"claims":[null],"realm":["/m
yrealm"],"id":["eb848e6c-526c-4a0c-a248-dfec1f1c80f8"],"tokenType":["Bearer"],"
code_challenge":[],"issued":["true"]}
coreTokenString08: /myrealm
coreTokenString07: Bearer
coreTokenType: OAUTH
coreTokenString09: clientOIDC
coreTokenId: eb848e6c-526c-4a0c-a248-dfec1f1c80f8
dn: coreTokenId=99224a00-89a9-44e9-b24e-2f38e1cfea81,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["99224a00-89a9-44e9-b24e-2f38e1cfea81"],"ops":["AQIC5wM2
LY4SfczXSMHmji5MIPC4qQMFPBlSXVOdpUiImhI.*AAJTSQACMDEAAlNLABI5ODQwMDcwNzQ2NjEzOD
c4MzIAAlMxAAA.*"],"expireTime":["1447839932000"]}
coreTokenType: OAUTH
coreTokenExpirationDate: 20151118104532+0100
coreTokenId: 99224a00-89a9-44e9-b24e-2f38e1cfea81
With AM12.0.2:
dn: coreTokenId=4e0052ed-e8d0-4dd3-97a4-9dc4ae897be9,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: -empty-
coreTokenString10: access_token
coreTokenExpirationDate: 20151118105212.556+0100
coreTokenString02: 137b966c-6d50-4102-ab89-9f61a383b303
coreTokenString01: openid
coreTokenString12: authorization_code
coreTokenString04: http://fake.com
coreTokenString03: user.0
coreTokenString05: b7e820f6-bce5-40c1-a547-6f9a5893b288
coreTokenString08: myrealm
coreTokenObject: {"redirectURI":["http://fake.com"],"parent":["137b966c-6d50-410
2-ab89-9f61a383b303"],"clientID":["clientOIDC"],"tokenName":["access_token"],"u
serName":["user.0"],"nonce":[],"expireTime":["1447840332556"],"grant_type":["au
thorization_code"],"scope":["openid"],"realm":["myrealm"],"id":["4e0052ed-e8d0-
4dd3-97a4-9dc4ae897be9"],"tokenType":["Bearer"],"refreshToken":["b7e820f6-bce5-
40c1-a547-6f9a5893b288"]}
coreTokenString07: Bearer
coreTokenString09: clientOIDC
coreTokenType: OAUTH
coreTokenId: 4e0052ed-e8d0-4dd3-97a4-9dc4ae897be9
dn: coreTokenId=b7e820f6-bce5-40c1-a547-6f9a5893b288,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString08: myrealm
coreTokenObject: {"redirectURI":["http://fake.com"],"acr":[],"clientID":["client
OIDC"],"expireTime":["1447840872556"],"grant_type":["authorization_code"],"scop
e":["openid"],"tokenName":["refresh_token"],"authModules":["LDAP"],"realm":["my
realm"],"id":["b7e820f6-bce5-40c1-a547-6f9a5893b288"],"userName":["user.0"],"to
kenType":["Bearer"]}
coreTokenString07: Bearer
coreTokenString09: clientOIDC
coreTokenType: OAUTH
coreTokenString10: refresh_token
coreTokenExpirationDate: 20151118110112.556+0100
coreTokenId: b7e820f6-bce5-40c1-a547-6f9a5893b288
coreTokenString12: authorization_code
coreTokenString01: openid
coreTokenString04: http://fake.com
coreTokenString03: user.0
dn: coreTokenId=137b966c-6d50-4102-ab89-9f61a383b303,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenString11: -empty-
coreTokenString10: access_code
coreTokenExpirationDate: 20151118105212.530+0100
coreTokenString13: AQIC5wM2LY4SfcznZEMp0PUePU5TSL8zdCM0Wjo5fKVlf50.*AAJTSQACMDEA
AlNLABM2NjI3NjMzOTI4MDQyNTk4MDE5*
coreTokenString01: openid
coreTokenString04: http://fake.com
coreTokenString03: user.0
coreTokenString06: true
coreTokenString08: myrealm
coreTokenObject: {"redirectURI":["http://fake.com"],"clientID":["clientOIDC"],"s
soTokenId":["AQIC5wM2LY4SfcznZEMp0PUePU5TSL8zdCM0Wjo5fKVlf50.*AAJTSQACMDEAAlNLA
BM2NjI3NjMzOTI4MDQyNTk4MDE5*"],"tokenName":["access_code"],"authModules":["LDAP
"],"userName":["user.0"],"nonce":[],"acr":[],"expireTime":["1447840332530"],"sc
ope":["openid"],"realm":["myrealm"],"id":["137b966c-6d50-4102-ab89-9f61a383b303
"],"tokenType":["Bearer"],"issued":["true"]}
coreTokenString07: Bearer
coreTokenString09: clientOIDC
coreTokenType: OAUTH
coreTokenId: 137b966c-6d50-4102-ab89-9f61a383b303
dn: coreTokenId=1419ece0-b007-47f0-bf31-2c2c1be9e0ca,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["1419ece0-b007-47f0-bf31-2c2c1be9e0ca"],"ops":["AQIC5wM2
LY4SfcznZEMp0PUePU5TSL8zdCM0Wjo5fKVlf50.*AAJTSQACMDEAAlNLABM2NjI3NjMzOTI4MDQyNT
k4MDE5*"],"expireTime":["1447840872"]}
coreTokenType: OAUTH
coreTokenExpirationDate: 19700117191040.872+0100
coreTokenId: 1419ece0-b007-47f0-bf31-2c2c1be9e0ca