The provided access token is invalid, or was issued to another client.

By: Qin Rodney user 27 Feb 2017 at 1:11 a.m. CST

5 Responses
Qin Rodney gravatar
When I achieve OpenID Connect single sign-on via Gluu by using oxd server, I can get the code, access token and user information, and then login my web site successfully. About two or three hours later, when I call log out API which provided by oxd server, it will throw "The provided access token is invalid, or was issued to another client" exeption. Is there a good way to log out successfully or extend the expiration of access token.
CentOS72
closed

Answers

By Aliaksandr Samuseu staff 28 Feb 2017 at 11:17 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Qin. Please provide a bit more info on steps needed to reproduce it. What language is your app written in, i.e. what oXd server plugin or library do you use? Which exactly api do you call when this happens? Could you please provide a snippet of your code where this happens?

By Qin Rodney user 28 Feb 2017 at 6:56 p.m. CST

Copy
Qin Rodney gravatar
``` _{"command":"get_logout_uri","params":{"state":null,"oxd_id":"4b0107f4-dad0-46c6-b124-d425022ab4f8","id_token_hint":"eyJraWQiOiI4YjEyMjVhNy00ZGQxLTQ0YWQtOTMwYi03ODUwNGU0MjVmNDciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20iLCJhdWQiOiJAITg1MEYuMTJFQi42N0YzLkY1REUhMDAwMSEzRUUyLjhBRkEhMDAwOCE0MkQ3LjZCNDAiLCJleHAiOjE0ODY2Mjg1MTgsImlhdCI6MTQ4NjYyNDkxOCwibm9uY2UiOiJiaDhlMWthMG11NGduYnYxNjNtbnVia3NtZCIsImF1dGhfdGltZSI6MTQ4NjYyNDg5OCwiYXRfaGFzaCI6IjEwX182VVQ2eWVVTXBoY2N2WlVxeWciLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJvYnNlcnZlcjJAb3dsLmV4YW1wbGUuY29tIiwiaW51bSI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCIsInN1YiI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCJ9.mqnzL0XKwyeFs3WIvB7S0UwgLmXMLEABmFH57LKj9zjG0Nou9vlZkMPDToTiMb83hISNmippyniUwn1ddFYkDvgZXYNpSrRDXa3aDrRzS4BqugNzZ-CaYcidhCDpNcV5ujDk6z4a2TQ4iTd1ly9VZs4l3MiiBSBMrTUWoQyvPQD9lsjPV8LOgQuXVM3idkqWRhMz1h2DNvXFDjzZ5UQp_L7-d616L_RjUmDIrS69Bmc2Sy1fYHqz1QcJRJL4xjk2-Un2ohF4uoBCJOUfbwlCpuDrX8A5q3UCTJAU9HW_Ak3kOuEec0FYpXj7FGcfMYLNhZkuuwVsL7f6GlSIXnAnug","post_logout_redirect_uri":"https://qa.owlforlearning.com/walkthrough/api/users/logout?apiKey=web","session_state":null}} 2017-03-01 10:18:23,404 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"uri":"https://gluu.catapultlearning.com/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=eyJraWQiOiI4YjEyMjVhNy00ZGQxLTQ0YWQtOTMwYi03ODUwNGU0MjVmNDciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20iLCJhdWQiOiJAITg1MEYuMTJFQi42N0YzLkY1REUhMDAwMSEzRUUyLjhBRkEhMDAwOCE0MkQ3LjZCNDAiLCJleHAiOjE0ODY2Mjg1MTgsImlhdCI6MTQ4NjYyNDkxOCwibm9uY2UiOiJiaDhlMWthMG11NGduYnYxNjNtbnVia3NtZCIsImF1dGhfdGltZSI6MTQ4NjYyNDg5OCwiYXRfaGFzaCI6IjEwX182VVQ2eWVVTXBoY2N2WlVxeWciLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJvYnNlcnZlcjJAb3dsLmV4YW1wbGUuY29tIiwiaW51bSI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCIsInN1YiI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCJ9.mqnzL0XKwyeFs3WIvB7S0UwgLmXMLEABmFH57LKj9zjG0Nou9vlZkMPDToTiMb83hISNmippyniUwn1ddFYkDvgZXYNpSrRDXa3aDrRzS4BqugNzZ-CaYcidhCDpNcV5ujDk6z4a2TQ4iTd1ly9VZs4l3MiiBSBMrTUWoQyvPQD9lsjPV8LOgQuXVM3idkqWRhMz1h2DNvXFDjzZ5UQp_L7-d616L_RjUmDIrS69Bmc2Sy1fYHqz1QcJRJL4xjk2-Un2ohF4uoBCJOUfbwlCpuDrX8A5q3UCTJAU9HW_Ak3kOuEec0FYpXj7FGcfMYLNhZkuuwVsL7f6GlSIXnAnug&post_logout_redirect_uri=https%3A%2F%2Fqa.owlforlearning.com%2Fwalkthrough%2Fapi%2Fusers%2Flogout%3FapiKey%3Dweb"}}_ ``` We use oxd server library for java, and call logout API, we can get the session end uri successfully. Because the access token is invalid, so, when we call the session end uri, it will throw "The provided access token is invalid, or was issued to another client" exception, please give us some suggestion to avoid it or extend the expiration of access token.

By Aliaksandr Samuseu staff 01 Mar 2017 at 11:29 a.m. CST

Copy
Aliaksandr Samuseu gravatar
What is exact version of your Gluu and oxD packages? Please do `# rpm -qi gluu-server-2.4.4` or `rpm -qi gluu-server-2.4.4.2` at Gluu host, and `# rpm -qi gluu-oxd-server` at oxD host. Can it be due to [this issue](https://github.com/GluuFederation/oxAuth/issues/332), i.e. it's not about access token, but about expired `id_token` used as a hint? As according to [this part of spec](http://openid.net/specs/openid-connect-session-1_0-17.html#RPLogout) you only expected to provide id_token hint and post-logout url to end session endpoint. >please give us some suggestion to avoid it or extend the expiration of access token You can control expiration of different OIDC tokens by editing next elements of oxAuth's config: - "idTokenLifetime": 3600 - "shortLivedAccessTokenLifetime": 300 - "refreshTokenLifetime": 14400 Though, as noted above, you probably will need to only modify "idTokenLifetime". The easiest way to edit those properties will probably be by moving to "Configuration -> JSON configuration -> oxAuth Configuration" page of web UI. You could also edit it directly in LDAP directory.

By Qin Rodney user 06 Mar 2017 at 3:14 a.m. CST

Copy
Qin Rodney gravatar
The Gluu's version is 2.4.4, and oxd jar package is 2.4.4. We need use code to check the token is valid or not, if invalid, we want to use code to extend expiration time it by call oxd server API. Are there APIs that provid by oxd server and can extend the token's expiration time.

By Michael Schwartz Account Admin 10 Mar 2017 at 3:56 p.m. CST

Copy
Michael Schwartz gravatar
It sounds like your session timed out. Access tokens are very short lived--five minutes. Refresh tokens live a longer time (a day). Web sessions are in-between (about an hour). All these values are configurable in the JSON properties.

Post an answer