[Bug] oxAuth key regeneration fails to run in time if oxAuth is restarted

By: Pawel Pietrzynski named 21 Feb 2020 at 3:12 p.m. CST

2 Responses
Pawel Pietrzynski gravatar
oxAuth has an internal timer that rotates its token signing and encryption keys every “keyRegenerationInterval” minutes. The expiry of the newly generated keys is set to the current time + “keyRegenerationInterval” + “idTokenLifetime”. However, whenever the server is rebooted **the timer resets**, meaning the regeneration won’t run again until “keyRegenerationInterval” minutes **after the time of reboot**. Unless the reboot occurs within ““idTokenLifetime” of the last regeneration, all of the keys will expire. The certificates provided in the “x5c” fiields, which have the NotAfter expiry date based on that value. Any RP that uses these certificates to obtain the keys, and then checks the expiry will fail and we have tested such failures with Microsoft OIDC clients.
Gluu 4.0 Rhel 7.6
closed

Answers

By Aliaksandr Samuseu staff 21 Feb 2020 at 3:16 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Pawel. Thanks for reporting it. @Yuriy.Zabrovarnyy, could you assess whether it's as expected?

By Mohib Zico staff 02 Mar 2020 at 7:50 a.m. CST

Copy
Mohib Zico gravatar
Interesting, I am running a EKS deployment where I am tracking that key generation for one customer. Assigning this ticket to me; I'll run this use case in my test implementation.

Post an answer