Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Property "renew_token_without_revoking_existing" is not being honored causing stuck threads #20994

Closed
jcgarciaa opened this issue Aug 27, 2024 · 1 comment
Closed

Property "renew_token_without_revoking_existing" is not being honored causing stuck threads #20994

jcgarciaa opened this issue Aug 27, 2024 · 1 comment
Assignees
@lashinijay

Comments

@jcgarciaa
Copy link
Contributor

jcgarciaa commented Aug 27, 2024
edited
Loading

Describe the issue:

When configuring JWT token issuer to generate new tokens without revoking the previous one, a token binding (request binding) with a random value should be generated so that the user + application + scopes + binding combination is unique for each request. This is been handled at the default JWT token issuer implementation [1].

On the other hand, the AbstractAuthorizationGrantHandler is also validating whether there's no token binding on the request and in such case is returning a constant token binding value (NONE) [2]. This leads to a scenario where all token requests for the same user + application + scopes will have the same token binding, which in environments with high workload and concurrency causes stuck threads at [3].

How to reproduce:

  1. Add the following configuration to the deployment.toml file:
[oauth.jwt.renew_token_without_revoking_existing]
enable=true
  1. Configure an OAuth2 service provider and enable client credentials grant type.
  2. Add a breakpoint at line [3].
  3. Request a token for the configured application using client credentials grant type.
  4. Evaluate the value of the tokenBindingReference variable at line [3].

Expected behavior:

The getTokenBindingReference() method of the AbstractAuthorizationGrantHandler class should have the same logic than the JWT token issuer [1], that is, check whether the generate new tokens without revoking the previous one feature is enabled and in such case generate a random value for the token binding if there's none already.

Environment information:

  • Product Version: IS-5.11.0 and above.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/a44d65f762a1b7b9d9c41edc43e34685ab7f8ec2/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java#L985-L993
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/a44d65f762a1b7b9d9c41edc43e34685ab7f8ec2/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java#L1155-L1167
[3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/a44d65f762a1b7b9d9c41edc43e34685ab7f8ec2/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java#L170
@lashinijay lashinijay self-assigned this Sep 9, 2024
@tharakawijekoon tharakawijekoon mentioned this issue Oct 14, 2024
Closed
This was referenced Nov 12, 2024
Closed
Closed
This was referenced Nov 20, 2024
Merged
Closed
@KD23243
Copy link
Contributor

KD23243 commented Nov 28, 2024

The issue has been resolved, and the fix has been merged into the master branch [1]. Additionally, the migration documentation has been updated. Therefore this issue is can be closed.

[1] wso2-extensions/identity-inbound-auth-oauth#2630

@KD23243 KD23243 closed this as completed Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lashinijay lashinijay

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lashinijay @jcgarciaa @KD23243