Hi Jarrett,
I agree that when a refresh operation is performed, the previous access token should be removed from the DB and therefore no longer be valid. I'm not sure exactly how that would be reflected in the DB but a subsequent "introspect" of the old Access Token should return "active: false". If that's not the case it sounds like you'll need a support case.
On the question of the Access Tokens that were expired early, I'm not sure what is happening here. Usually tokens expire from the DB because:
- The grant as a whole expires (a grant has a max lifetime which is not, by default, extended when using a refresh token).
- A refresh token is used which (should) expire previous access tokens in the grant
- A call is made to the "revoke" endpoint to explicitly revoke an access token
- Max tokens for user are reached and Last-recently-used is enabled (so an older access token is removed to make room for new one)
You mention "clearing the database". If you are manually clearing data at the DB level, perhaps this is causing some inconsistency with in-process caching. I don't know how this works but can imagine that directly clearing the DB might cause some unexpected behaviour.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Fri July 09, 2021 10:41 AM
From: Jarrett Peterson
Subject: Oauth Token Expiring Early
This came back up again recently and I happened to be in the oauth database (oracle). I'm seeing some behavior that isn't working as I expect.
1) Refresh token is used but doesn't expire the existing oauth token
-- I was under the impression that using a refresh token expired the oauth token you got with it but maybe this is working as intended and using a refresh token does not invalidate the oauth token you got with it (it continues on to expiry unless it's expired by token limit)
2) I recently cleared the database and there were 4 calls at the same time due to amazon functions spinning up at the same time and generated 4 bearer tokens and 4 refresh tokens
Within 20-30 min 3 of those bearer tokens disappeared from the database but the refresh tokens were still there. We thought maybe using the refresh token early expired them but I've been using postman to use refresh tokens and it's just clearing the refresh token I used from the DB and adding a new refresh token and a new bearer token (but not removing the original bearer token associated w/ the refresh token I used)
So wondering what possibly could have expired 3 bearer tokens early.
------------------------------
Jarrett Peterson
Original Message:
Sent: Mon June 21, 2021 03:00 PM
From: Jon Harry
Subject: Oauth Token Expiring Early
Hi Jarrett,
I don't really have any other ideas. If you have a user showing 20 tokens, that's probably an indication it is requesting new tokens all the time instead of caching and reusing. You should fix the application.
If you have a user that only shows a few tokens but these tokens are expiring before they should then I don't know why what would be.
It might be worth looking at the expiry information that is received by the client to make sure it is as expected... maybe the tokens are being received with a short expiry for some reason?
If you still can't see why the expiry is occurring, I would think you'll need a support ticket so that someone can help you gather and analyse trace.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon June 21, 2021 02:32 PM
From: Jarrett Peterson
Subject: Oauth Token Expiring Early
Any ideas what would cause that Jon? Or how we could get more info on the cause?
------------------------------
Jarrett Peterson
Original Message:
Sent: Fri June 18, 2021 01:36 PM
From: Jarrett Peterson
Subject: Oauth Token Expiring Early
Original Message:
Sent: 6/18/2021 1:34:00 PM
From: Jon Harry
Subject: RE: Oauth Token Expiring Early
Does that mean ROPC flow ?
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri June 18, 2021 01:31 PM
From: Jarrett Peterson
Subject: Oauth Token Expiring Early
They all use password
------------------------------
Jarrett Peterson
Original Message:
Sent: Fri June 18, 2021 12:52 PM
From: Jon Harry
Subject: Oauth Token Expiring Early
Hi Jarrett,
No. thats not what I meant. If you have 1 client Id but 2 usernames I'd expect a total of 40 tokens.
If a client with 1 token is getting expiry that doesn't sound right. What is the grant type ?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri June 18, 2021 11:40 AM
From: Jarrett Peterson
Subject: Oauth Token Expiring Early
So if I understand you correctly Jon if they have username A requesting tokens under cilent ID x and username B requsting tokens under client ID x (same client id) then there is a max limit of 20 tokens between them and it's shared? So if username A is improperly using tokens by getting a new one each time then username B could have their token expired prior to the hour if LRU is set?
I can see in the console that one username has 20+ tokens the other has 1. But they both are getting tokens expiring early and they share a client ID
------------------------------
Jarrett Peterson
Original Message:
Sent: Fri June 18, 2021 11:34 AM
From: Jon Harry
Subject: Oauth Token Expiring Early
Hi Jarrett,
My understanding is that the limit here is both per user and per client... so even if you only have 1 client, you should be OK as long as no single user is requesting more than 20 tokens. If the access token lifetime is set to 3600 then access tokens should not be expired before 60 minutes unless the client is requesting more than 20 tokens for the same user.
Which grant type are you using? If it's client_credentials then I actually don't know how that would be affected by the limit because there is no user associated. I suppose that might result in a limit of 20 for the client as a whole.
If you're using some other grant type, maybe it's worth using the admin UI to see what grants exist when you're seeing the expiry happening? If you see the user has 20 tokens, perhaps the clients are doing something unexpected (I have seen cases where clients request a new token for each operation instead of re-using).
You could also set the limit_method to "strict". That would cause clients requesting more than 20 tokens to get an error rather than removing least used token. It could be interesting as a debug step?
I hope this helps point in the right direction; let us know what you find out.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri June 18, 2021 11:08 AM
From: Jarrett Peterson
Subject: Oauth Token Expiring Early
We have a repeatable situation where developers are requesting oauth tokens and they are expiring after approx 20 min instead of the set limit of 1hr. I've confirmed they aren't set to single use and also that the time is 3600 and not 20 min.
The only thing I can see responsible would be this setting here:
var max_oauth_grants_per_user_per_client = 20;
var limit_method = "lru"; // "lru" | "strict"
I read per user per client that the limit should be separately applied to each username using that shared client id in which case it should not be causing the issue we're having as I don't believe the username is shared. However, there are multiple teams using the same client id and if the limit is 20 across all users of that shared id (and not per individual team username) then that would certainly explain why the tokens get expired early.
------------------------------
Jarrett Peterson
------------------------------