-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 7.3.X, Master
-
Fix Version/s: 7.3.X, 7.4.3.23 CE GA23, Master
-
Component/s: Application Security > OAuth2
-
Branch Version/s:7.3.x
-
Backported to Branch:Committed
-
Story Points:5
-
Fix Priority:3
-
Git Pull Request:
User request a token. That token suddenly expires (without now reason) and user loses permissions. I guess this issue is caused by "Expired Authorizations Check Interval" option, which is (by default) removing all authorizations every hour.
Steps to Reproduce:
- Go to OAuth 2 Administration
- Create new OAuth 2 Application (app name: test-app, client profile: Headless Server)
- Set scope on test-app: Content Delivery -> read data on your behalf
- Go to System Settings -> OAuth 2 -> Provider
- Set "Expired Authorizations Check Interval" to 1 minute
- Use curl
- Get Bearer token from test-app
Example:
Request:
curl -X POST --header "Content-Type: application/x-www-form-urlencoded" "localhost:8080/o/oauth2/token?grant_type=client_credentials&client_id={test-app-clientId}&client_secret={test-app-clientSecret}"
Response: {"access_token":" {test-app-access-token}","token_type":"Bearer","expires_in":600,"scope":"Liferay.Headless.Delivery.everything.read"}
- Wait 1 minute
- Try to request headless delivery Open Api specification
Example:
Request:
curl -i --header "Authorization: Bearer {test-app-access-token}" http://localhost:8080/o/headless-delivery/v1.0/openapi.yaml
Response:
HTTP/1.1 403
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Set-Cookie: JSESSIONID=6A75B1CF55A78648F6E93B6FED349AAD; Path=/; HttpOnly
Date: Tue, 03 Nov 2020 14:20:55 GMT
Content-Type: application/octet-stream
Content-Length: 122 { "message" : "Access denied to com.liferay.headless.delivery.internal.resource.v1_0.OpenAPIResourceImpl#getOpenAPI" }
Default token expiration is 600 seconds = 10 minutes. But in this case it expires after 1 minute.
Expected Result:
"Expired Authorizations Check Interval" option or this cleaner will remove only EXPIRED authorization after their afterlife duration (by default 86400 seconds).
Actual Result:
"Expired Authorizations Check Interval" option or this cleaner is removing EXPIRED and NOT EXPIRED authorization immediately.
Reproduced on:
Liferay 7.3.5 GA6
Server version: Apache Tomcat/9.0.37
OS Name: Windows 10
Regression:
This scenario was working in previous version: Liferay 7.2.0 - NOT tested.
Workaround:
Set "Expired Authorizations Check Interval" to -1
- is duplicated by
-
LPS-151082 OAuth2 deleteExpiredOAuth2 removes regularly valid tokens causes API access errors
- Resolved