oauth2 icon indicating copy to clipboard operation
oauth2 copied to clipboard

Published 20 hours ago verified publisher icon go-oauth2

jwt: strange behavior when generating access tokens simultaneously

Open FeNoMeNa opened this issue 5 years ago • 0 comments

If you try the following shell execution:

for i in {1..5}; do curl -X POST -d "client_id=myClientID&client_secret=password&grant_type=password&username=jdoe&password=changeit&scope=cn" http://localhost:8899/token; done

You will get the following output:

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJteUNsaWVudElEIiwiZXhwIjoxNTgwNzk4NzU3LCJzdWIiOiJhY2NvdW50X2lkIn0.RzrGuvP45fFr_fCLjaCjtt9OkQK3B7QGHkn2-BdX2vuE4C_sAtxuVDKNdEaJiQmIC9YhMxJw18tbFzImmG2Ki13XYAJWdE8gcQldcYD8bv31cvTJApOOKqDifQ9BtN1JPgqbh9iAncakg_GeSqguRXuZGHQd46WBu8cB9_h55xgDxnRX0BFByIY57XQC7JxGnFPaeX17_aW2X6u07mxI6fvPukYGpkK7I3oL_pfahmoHSUSW1u3GOtY1jhZWpE6ytkX7dqgqimDMe1NIJlMqHRn_E1WjUpuJTs3Unc08TEweykTlDZQCLJNtES9tb5f9umAfbZrUiqfb0J1NlJUuZA","expires_in":60,"refresh_token":"BLDY7AXVUZELQLSAU3OS1A","scope":"cn","token_type":"Bearer"}
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request"}
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request"}
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request"}
{"error":"server_error","error_description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request"}

This is due to the fact that all requests for getting access token try to use the same JWT token string, and DB complains with error. This behavior is caused due to the lack of unique field in JWTAccessClaims. Right now for uniqueness is used ExpiresAt, but what about if you try to generate multiple access tokens in the same second?

	claims := &JWTAccessClaims{
		StandardClaims: jwt.StandardClaims{
			Audience:  data.Client.GetID(),
			Subject:   data.UserID,
			ExpiresAt: data.TokenInfo.GetAccessCreateAt().Add(data.TokenInfo.GetAccessExpiresIn()).Unix(),
		},
	}

FeNoMeNa avatar Feb 04 '20 07:02 FeNoMeNa