OIDC Client Requests Tokens with the same auth code

[barbj]

TS002195401
While testing the Liberty OIDC implementation we are running into a situation where Liberty attempts to request tokens using the same authorization code twice.

The way that I am able to reproduce this issue is by causing an error in the application currently (causing a javax.faces.application.ViewExpiredException is how I was able to reproduce it)

Assumptions

• Application uses openidConnectClient-1.0
• Application is configured to use Authorization Code Flow
• The application errors after refreshing the token

Repro Steps

1. Application is launched and the user logs in
2. Allow the LTPA and sessions to expire
3. Attempt to navigate the application (forcing a new authorization)
4. The application must exception at this point (note: my test app has a ViewExpiredException error that is triggered at this point)
5. Refresh the application
   -- The application should not exception at this point

Expected Outcome

• The OAuth2 flow should be followed

1. Call the authorize url
2. Call the callback url
3. Call the token endpoint
   -- The application should throw an exception
   -- The user should be authorized on refresh (either from the initial flow or via going through the OAuth2 flow again)

Actual Outcome

• The OAuth2 flow is followed

1. The authorize url is called
2. The callback url is called
3. The token endpoint is called
   -- The application returns an error
4. The application re-calls the token endpoint with the same auth code from step 2 above
   -- The user is presented with the 401 shown below
   -- Liberty logs:
   ** CWWKS1708E error shown below due to using the same auth code (IDP obfuscates the actual error, but traces show that this is the reason)

{"error_description": "OpenID Connect client returned with status: SEND_401","error": 401}

CWWKS1708E: The OpenID Connect client [CLIENT ID] is unable to contact the OpenID Connect provider at [https://company.com/oauth2/v1/token] to receive an ID token due to [Failed to reach endpoint https://company.com/oauth2/v1/token because of the following error: {
"error":"invalid_client"
}].

[barbj]

Input from @chunlongliang-ibm
This problem can only happen in following scenario:

1. Liberty RP receives a "code", and exchanges the "code" for a "token". It then creates a subject from the valid token.
2. Before the subject is created and the response is completed, the browser is refreshed.

This is due to a time gap between when the response is received and the browser is refreshed. If the browser refreshing is after when the response is received, this problem will not occur.

We could take an issue to address this gap.