Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9629

OAuth2 flow creates GENERIC CTS tokens that never expire

    Details

    • Sprint:
      AM Sustaining Sprint 27
    • Support Ticket IDs:

      Description

      During some Oauth2 flows a state token is persisted to CTS and used to check the next request. This token has no expiration date and relies on the user coming back to the page/endpoint successfully for it to get deleted.

      There is no guarantee that the last part of the flow will complete and in these cases the token will never be removed. Over time the system will accrue more and more of these tokens. They will not be cleaned up by the CTS reaper since they have no expiration date.

      A typical token looks like this:

      dn: coreTokenId=EOQ0nTE5vy1fj1S0VKoB1dhHihrHtTb0,ou=famrecords,ou=openam-session
       ,ou=tokens,dc=openam,dc=forgerock,dc=org
      objectClass: top
      objectClass: frCoreToken
      coreTokenType: GENERIC
      coreTokenId: EOQ0nTE5vy1fj1S0VKoB1dhHihrHtTb0
      coreTokenString01: h4vzahkg57dogx0mb49bg3a3p5fdouq
      
      

      These tokens should be created with a short expiration date.

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              ian.packer Ian Packer [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: