I have generated access token using SAML extension grant type as mentioned in the below link:
Step 1: Generate assertion string.
java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token/home/dinusha/nothing/WSO2/API-Manager/saml-oauth/wso2is-5.0.0/rhbepository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
This gives me the assertion string. I have set the expiry period as 300 (5 minutes).
Step 2: Fetch access token Using the assertion string and the Base64 encoded string of (consumerKey:ConsumerSecret) I can generate Oauth access token.
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ASSERTION_PROVIDED_BY_CLIENT>&scope=PRODUCTION" -H "Authorization: Basic <ASSERTION_PROVIDED_BY_CLIENT>, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
Oauth access token and Refresh token are generated. Access token has validity of 3600 (60 minutes).
Now, suppose a user's session is timed out within a time duration of 5 minutes (assertion string expiry time) and the user performs login operation, a new assertion string is generated and the existing access token is removed. However, this new assertion string gives me the same access token as obtained in the previous session. Since the access token is already invalid, it tries to regenerate a new access token using the refresh token. At this step, I am getting an error: "Invalid refresh token". (Logs are provided below). I don't think it's an issue with the authenticity of refresh token, since a new pair of access token should have been generated the second time using the new assertion string.
TID: [-1234] [] [2019-09-24 12:59:02,036] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal {org.wso2.carbon.identity.oauth2.util.OAuth2Util} TID: [-1234] [] [2019-09-24 12:59:02,036] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Token type is not set for service provider app with client Id: <client_id>. Hence the default Identity OAuth token issuer will be used. No custom token generator is set. {org.wso2.carbon.identity.oauth2.util.OAuth2Util} TID: [-1234] [] [2019-09-24 12:59:02,039] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Valid access token is found in cache for client: <client_id>. Remaining time: 3549358ms {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} TID: [-1234] [] [2019-09-24 12:59:02,040] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Enable Access Token renew per request: false {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} TID: [-1234] [] [2019-09-24 12:59:02,040] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Enable Access Token renew per request considering OAuthTokenReqMessageContext: false {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} TID: [-1234] [] [2019-09-24 12:59:02,040] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Valid access token is found in cache for client: <client_id>. Remaining time: 3549357ms {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} TID: [-1234] [] [2019-09-24 12:59:02,040] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext {org.wso2.carbon.identity.oauth2.util.OAuth2Util} TID: [-1234] [] [2019-09-24 12:59:02,040] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: <client_id> username: @carbon.super and scopes: default {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Executing OAuth client authenticators. {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Retrieving registered OAuth client authenticator list. {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Evaluating canAuthenticate of authenticator : BasicOAuthClientCredAuthenticator {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} - Basic auth credentials exists as Authorization header. Hence returning true. {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - BasicOAuthClientCredAuthenticator authenticator can handle incoming request. {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Authenticator BasicOAuthClientCredAuthenticator can authenticate the client request. Hence trying to evaluate authentication {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} - Authorization header exists. Hence validating whether body params also present {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} - Authenticating client : <client_id> with client secret. {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : <client_id> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : <client_id> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Authentication result from OAuth client authenticator BasicOAuthClientCredAuthenticator is : true {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,006] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Evaluating canAuthenticate of authenticator : PublicClientAuthenticator {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,007] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.PublicClientAuthenticator} - Application with the given client ID <client_id> is not found {org.wso2.carbon.identity.oauth2.client.authentication.PublicClientAuthenticator} TID: [-1234] [] [2019-09-24 12:59:09,007] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.PublicClientAuthenticator} - The Client ID is not present in the request. {org.wso2.carbon.identity.oauth2.client.authentication.PublicClientAuthenticator} TID: [-1234] [] [2019-09-24 12:59:09,007] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - PublicClientAuthenticator authenticator cannot handle this request. {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} TID: [-1234] [] [2019-09-24 12:59:09,040] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID <client_id>, User ID null, Scope : [] and Grant Type : refresh_token {org.wso2.carbon.identity.oauth2.OAuth2Service} TID: [-1234] [] [2019-09-24 12:59:09,040] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Oauth App validation success for consumer key: <client_id> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} TID: [-1234] [] [2019-09-24 12:59:09,040] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenManagementDAOImpl} - Validating refresh token for client: <client_id> {org.wso2.carbon.identity.oauth2.dao.TokenManagementDAOImpl} TID: [-1234] [] [2019-09-24 12:59:09,089] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} - Invalid Refresh Token provided for Client with Client Id : <client_id> {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} TID: [-1234] [] [2019-09-24 12:59:09,089] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Error occurred while validating grant {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Persisted access token data not found
at org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler.validatePersistedAccessToken(RefreshGrantHandler.java:251)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler.validateGrant(RefreshGrantHandler.java:79)
at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:226)
at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:225)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:300)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:90)
at sun.reflect.GeneratedMethodAccessor153.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:128)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:65)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
TID: [-1234] [] [2019-09-24 12:59:09,090] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid Grant provided by the client Id: <client_id> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} TID: [-1234] [] [2019-09-24 12:59:09,090] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - OAuth-Error-Code=invalid_grant client-id=<client_id> grant-type=refresh_token scope= {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer}
To sum up, my issue is that two assertion strings(as long as the first one is still valid) gives me the same pair of access and refresh token. Any help is very much appreciated. Thanks for reading :)