I've built a simple webapplication using Spark and pac4j. It is supposed to authenticate users with WSO2 Identity Server 5.0.0, using the OAuth 2 "Authorization Code Grant".
The OAuth flow seems to work fine, but not completely:
- user is redirected to WSO2 (
/oauth2/authorize?response_type=code&client_id=foo&redirect_uri=bar&scope=openid&prompt=consent) - user identifies with username / password
- user gives consent to exchange claims with my webapplication
- my webapplication exchanges the code it receives for an access token and a refresh token
However, finally pac4j retrieves the user profile (/oauth2/userinfo?schema=openid), using the access token. This always gives me the response
{"error":"invalid_token","error_description":"Access token validation failed"}
And WSO2 logs
TID: [0] [IS] [2018-03-14 16:20:30,446] DEBUG {org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint} - org.wso2.carbon.identity.oauth.endpoint.user.UserInfoEndpointException: Access token validation failed {org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint}
The access token is still present in the IDN_OAUTH2_ACCESS_TOKEN database table:
TIME_CREATED VALIDITY_PERIOD TOKEN_STATE TOKEN_STATE_ID
------------------------------------------------------------------
2018-03-14 10:40:35.940 3600000 ACTIVE NONE
I don't understand why WSO2 says my access token is invalid.
Can anyone shed some light on this?
