Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-123020

Not expired authorizations are removed every 1 hour

    XMLWordPrintable

    Details

      Description

      User request a token. That token suddenly expires (without now reason) and user loses permissions. I guess this issue is caused by "Expired Authorizations Check Interval" option, which is (by default) removing all authorizations every hour.

      Steps to Reproduce:

      1. Go to OAuth 2 Administration
      2. Create new OAuth 2 Application (app name: test-app, client profile: Headless Server)
      3. Set scope on test-app: Content Delivery -> read data on your behalf
      4. Go to System Settings -> OAuth 2 -> Provider
      5. Set "Expired Authorizations Check Interval" to 1 minute
      6. Use curl
      7. Get Bearer token from test-app
        Example:
        Request:
        curl -X POST --header "Content-Type: application/x-www-form-urlencoded" "localhost:8080/o/oauth2/token?grant_type=client_credentials&client_id={test-app-clientId}&client_secret={test-app-clientSecret}"
        Response: {"access_token":" {test-app-access-token}

        ","token_type":"Bearer","expires_in":600,"scope":"Liferay.Headless.Delivery.everything.read"}

      8. Wait 1 minute
      9. Try to request headless delivery Open Api specification
        Example:
        Request:
        curl -i --header "Authorization: Bearer {test-app-access-token}" http://localhost:8080/o/headless-delivery/v1.0/openapi.yaml
        Response:
        HTTP/1.1 403
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        X-XSS-Protection: 1
        Set-Cookie: JSESSIONID=6A75B1CF55A78648F6E93B6FED349AAD; Path=/; HttpOnly
        Date: Tue, 03 Nov 2020 14:20:55 GMT
        Content-Type: application/octet-stream
        Content-Length: 122 { "message" : "Access denied to com.liferay.headless.delivery.internal.resource.v1_0.OpenAPIResourceImpl#getOpenAPI" }

       

      Default token expiration is 600 seconds = 10 minutes. But in this case it expires after 1 minute.

      Expected Result:
      "Expired Authorizations Check Interval" option or this cleaner will remove only EXPIRED authorization after their afterlife duration (by default 86400 seconds).

      Actual Result:

      "Expired Authorizations Check Interval" option or this cleaner is removing EXPIRED and NOT EXPIRED authorization immediately.

       Reproduced on:

      Liferay 7.3.5 GA6

      Server version: Apache Tomcat/9.0.37

      OS Name: Windows 10

      Regression:

      This scenario was working in previous version: Liferay 7.2.0 - NOT tested.

      Workaround:

      Set "Expired Authorizations Check Interval" to -1

        Attachments

          Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. LPS-151082 OAuth2 deleteExpiredOAuth2 removes regularly valid tokens causes API access errors

          • Resolved

            Activity

              People

              Assignee:
              marcell.weller Marcell Weller
              Reporter:
              suchanek.vaclav999 Václav Suchánek
              Participants of an Issue:
              Recent user:
              Rafaela Nascimento
              Engineering Assignee:
              Jose L. Bango
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                3 weeks, 6 days ago

                  Packages

                  Version Package
                  7.3.X
                  7.4.3.23 CE GA23
                  Master