By: Jeremy Carter user 03 Aug 2020 at 10:14 a.m. CDT

2 Responses
Jeremy Carter gravatar
When authentication requests for a given client trickle in at a rate faster then the access token lifetime, oxauth will eventually become unresponsive. I have tracked down the cause of this issue to some problematic code in the GrantService which remains unchanged in Gluu 4.2 which likely also contains this issue. The following code in the GrantService is fetching the cache of all tokens for a given client, appending the newly created token and then pushing the set of tokens back to the cache with the expiration of the current token. This carries multiple issues: https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/gluu/oxauth/service/GrantService.java#L142 1. This is not an atomic operation. This causes race conditions where multiple simultaneous authentication requests for the same client will result in some of their access tokens not stored in this cache. **2. Other tokens in this cache which may have expired are placed back in the cache with the expiration of the most recent access token. Unless this hashset of tokens is allowed to expire, it will continue to grow until either a timeout is reached when fetching this cache key or the server runs out of heap space attempting to deserialize. I have encountered both.** The current workaround is to disable entry into this section of code by setting the following: UseCacheForAllImplicitFlowObjects=FALSE PersistIdTokenInLdap=TRUE PersistRefreshTokenInLdap=TRUE

By Yuriy Zabrovarnyy staff 03 Aug 2020 at 10:40 a.m. CDT

Yuriy Zabrovarnyy gravatar
Both `ClientTokens` and `SessionTokens` were used as performance boost before we started to use Couchbase. Now it's outdated and should be removed. Scheduled removing: https://github.com/GluuFederation/oxAuth/issues/1431

By Yuriy Zabrovarnyy staff 04 Aug 2020 at 6:01 a.m. CDT

Yuriy Zabrovarnyy gravatar
Closing this ticket, feel free to re-open if needed.