[OPENAM-12080] OAuth2 Stateless Session Signing Key lost during upgrade Created: 10/Nov/17  Updated: 21/Aug/19  Resolved: 06/Dec/17

Status: Closed
Project: OpenAM
Component/s: oauth2
Affects Version/s: None
Fix Version/s: 6.0.0, 5.5.2

Type: Bug Priority: Major
Reporter: Craig McDonnell Assignee: Dipu Seminlal
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, NEWTON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: Sprint 2017.15 Curie, Sprint 2017.16 Newton
Needs backport:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

OAuth2 Provider service's "Token Signing HMAC Shared Secret" is lost during the upgrade from OpenAM 13.5.0 to AM 6.0.0. I would assume that this affects others upgrade paths between.

How to reproduce the issue

  1. Install OpenAM 13.5.0
  2. Configure OAuth2 Provider Service and enable stateless OAuth2 tokens
  3. Configure OAuth2 client
  4. Obtain an access token and keep a reference to the returned JWT
  5. Upgrade to AM 6.0.0
  6. Call the /tokeninfo endpoint for the access token created prior to the upgrade
Expected behaviour
Token info should be returned as JSON 
Current behaviour
Internal Server Error

Work around

Manually re-entering the value for OAuth2 Provider service's "Token Signing HMAC Shared Secret" fixes the configuration.


Comment by Ľubomír Mlích [ 21/Aug/19 ]

Reproduced with ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41), introspect endpoint returned HTTP 500 until HMAC signing key was entered into configuration

Verified as fixed in ForgeRock Access Management 5.5.2-M7 Build 965200a558 (2019-August-20 08:11), no such problem was found

Generated at Wed Nov 25 05:55:51 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.