Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-123020

Not expired authorizations are removed every 1 hour

    XMLWordPrintable

    Details

    • Type: Regression Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.3.5 CE GA6
    • Fix Version/s: None
    • Component/s: Application Security > OAuth2
    • Labels:
      None
    • OS:
      Windows 10
    • JDK:
      Oracle Sun JDK 11
    • Application Servers:
      Apache Tomcat 9.0.x
    • Databases:
      PostgreSQL 10
    • Device Type:
      Desktop

      Description

      User request a token. That token suddenly expires (without now reason) and user loses permissions. I guess this issue is caused by "Expired Authorizations Check Interval" option, which is (by default) removing all authorizations every hour.

      Steps to Reproduce:

      1. Go to OAuth 2 Administration
      2. Create new OAuth 2 Application (app name: test-app, client profile: Headless Server)
      3. Set scope on test-app: Content Delivery -> read data on your behalf
      4. Go to System Settings -> OAuth 2 -> Provider
      5. Set "Expired Authorizations Check Interval" to 1 minute
      6. Use curl
      7. Get Bearer token from test-app
        Example:
        Request:
        curl -X POST --header "Content-Type: application/x-www-form-urlencoded" "localhost:8080/o/oauth2/token?grant_type=client_credentials&client_id={test-app-clientId}&client_secret={test-app-clientSecret}"
        Response: {"access_token":" {test-app-access-token}

        ","token_type":"Bearer","expires_in":600,"scope":"Liferay.Headless.Delivery.everything.read"}

      8. Wait 1 minute
      9. Try to request headless delivery Open Api specification
        Example:
        Request:
        curl -i --header "Authorization: Bearer {test-app-access-token}" http://localhost:8080/o/headless-delivery/v1.0/openapi.yaml
        Response:
        HTTP/1.1 403
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        X-XSS-Protection: 1
        Set-Cookie: JSESSIONID=6A75B1CF55A78648F6E93B6FED349AAD; Path=/; HttpOnly
        Date: Tue, 03 Nov 2020 14:20:55 GMT
        Content-Type: application/octet-stream
        Content-Length: 122 { "message" : "Access denied to com.liferay.headless.delivery.internal.resource.v1_0.OpenAPIResourceImpl#getOpenAPI" }

       

      Default token expiration is 600 seconds = 10 minutes. But in this case it expires after 1 minute.

      Expected Result:
      "Expired Authorizations Check Interval" option or this cleaner will remove only EXPIRED authorization after their afterlife duration (by default 86400 seconds).

      Actual Result:

      "Expired Authorizations Check Interval" option or this cleaner is removing EXPIRED and NOT EXPIRED authorization immediately.

       Reproduced on:

      Liferay 7.3.5 GA6

      Server version: Apache Tomcat/9.0.37

      OS Name: Windows 10

      Regression:

      This scenario was working in previous version: Liferay 7.2.0 - NOT tested.

      Workaround:

      Set "Expired Authorizations Check Interval" to -1

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            suchanek.vaclav999 Václav Suchánek
            Participants of an Issue:
            Recent user:
            Jan Tošovský
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Days since last comment:
              27 weeks, 1 day ago

                Packages

                Version Package