iam
iam copied to clipboard
indigo-iam
IAM fails to issue tokens around a timezone change
Hi,
We're running iam-login-service v1.10.2 in a timezone where the clocks go forward an hour in spring (specifically the times between 1am and 2am don't exist today). Our monitoring picked up that the service was returning 500/internal server error when issuing tokens for the hour running up to the time change.
Our default access token lifetime is 1 hour and as soon as we reached midnight, token issuing started to fail (when the tokens would expire the other side of the timezone change) as the expiration timestamps are times which don't exist in the local timezone:
Mar 30 00:00:02 myserver.mydomain iam-login-service[5015]: [EL Warning]: 2025-03-30 00:00:02.293--UnitOfWork(337847578)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.7.9.v20210604-2c549e2208): org.eclipse.persistence.exceptions.DatabaseException
Mar 30 00:00:02 myserver.mydomain iam-login-service[5015]: Internal Exception: com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: Incorrect datetime value: '2025-03-30 01:00:02' for column `iam_login_service`.`access_token`.`expiration` at row 1
Mar 30 00:00:02 myserver.mydomain iam-login-service[5015]: Error Code: 1292
Mar 30 00:00:02 myserver.mydomain iam-login-service[5015]: Call: INSERT INTO access_token (expiration, token_value, token_type, token_value_hash, approved_site_id, auth_holder_id, client_id, refresh_token_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
Mar 30 00:00:02 myserver.mydomain iam-login-service[5015]: bind => [8 parameters bound]
Mar 30 00:00:02 myserver.mydomain iam-login-service[5015]: Query: InsertObjectQuery(org.mitre.oauth2.model.OAuth2AccessTokenEntity@18b74ffd)
At 2am, everything immediately goes back to normal:
Mar 30 00:59:34 myserver.mydomain iam-login-service[5015]: Query: InsertObjectQuery(org.mitre.oauth2.model.OAuth2AccessTokenEntity@2df23d23)
Mar 30 00:59:35 myserver.mydomain iam-login-service[5015]: [EL Warning]: 2025-03-30 00:59:35.172--UnitOfWork(371305163)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.7.9.v20210604-2c549e2208): org.eclipse.persistence.exceptions.DatabaseException
Mar 30 00:59:35 myserver.mydomain iam-login-service[5015]: Internal Exception: com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: Incorrect datetime value: '2025-03-30 01:59:35' for column `iam_login_service`.`access_token`.`expiration` at row 1
Mar 30 00:59:35 myserver.mydomain iam-login-service[5015]: Error Code: 1292
Mar 30 00:59:35 myserver.mydomain iam-login-service[5015]: Call: INSERT INTO access_token (expiration, token_value, token_type, token_value_hash, approved_site_id, auth_holder_id, client_id, refresh_token_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
Mar 30 00:59:35 myserver.mydomain iam-login-service[5015]: bind => [8 parameters bound]
Mar 30 00:59:35 myserver.mydomain iam-login-service[5015]: Query: InsertObjectQuery(org.mitre.oauth2.model.OAuth2AccessTokenEntity@3e9dd47b)
Mar 30 02:00:00 myserver.mydomain iam-login-service[5015]: 2025-03-30 01:00:00.000 INFO 2 --- [pool-1-thread-1] i.i.m.i.c.l.ExpiredAccountsHandler : Expired accounts handler ... [START]
Mar 30 02:00:00 myserver.mydomain iam-login-service[5015]: 2025-03-30 01:00:00.002 INFO 2 --- [pool-1-thread-1] i.i.m.i.c.l.ExpiredAccountsHandler : Expired accounts handler ... [END]
Mar 30 02:00:00 myserver.mydomain iam-login-service[5015]: 2025-03-30 01:00:00.746 INFO 2 --- [io-8080-exec-22] AUDIT : {"@type":"AccessTokenIssuedEvent","timestamp":1743296400746,"category":"TOKEN","principal":"...
Mar 30 02:00:01 myserver.mydomain iam-login-service[5015]: 2025-03-30 01:00:01.714 INFO 2 --- [io-8080-exec-39] AUDIT : {"@type":"AccessTokenIssuedEvent","timestamp":1743296401714,"category":"TOKEN","principal":"...
Could this please be fixed?
Regards, Simon
