Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-2004

OAuth2ResourceServerFilter cache configuration can lead to unexpected results if tokens expire early

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.1.0, 3.1.1, 4.0.0, 4.5.0, 5.0.0, 5.5.0
    • Fix Version/s: 5.5.1, 6.0.0
    • Component/s: OAuth 2.0
    • Environment:
      OpenIG working with OpenAM as a OAuth2 token store
    • Support Ticket IDs:

      Description

      Current Issue:

      When woking with a OAuth2ResourceServerFilter and setting a cacheExpiration to anything other 0, the only value considered by the cache is the token's expiry value.

      This can lead to unexpected results if the token is expired early by the end user or by an administrator as the OAuth2ResourceServerFilter will continue to return valid token results until the original token expiry time kicks in.

      Possible Solution:

      Rename the cacheExpiration to maxTimeout and treat this like the maxTimeout used in the  PolicyEnforcementFilter which will be used by the cache when testing if the token has expired and take the lower of the two values.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                markdr Mark de Reeper
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: