OIDC Client Requests Tokens with the same auth code #8773
Labels
release bug
This bug is present in a released version of Open Liberty
release:20001
team:Security SSO
TS002195401
While testing the Liberty OIDC implementation we are running into a situation where Liberty attempts to request tokens using the same authorization code twice.
The way that I am able to reproduce this issue is by causing an error in the application currently (causing a javax.faces.application.ViewExpiredException is how I was able to reproduce it)
Assumptions
Repro Steps
-- The application should not exception at this point
Expected Outcome
-- The application should throw an exception
-- The user should be authorized on refresh (either from the initial flow or via going through the OAuth2 flow again)
Actual Outcome
-- The application returns an error
-- The user is presented with the 401 shown below
-- Liberty logs:
** CWWKS1708E error shown below due to using the same auth code (IDP obfuscates the actual error, but traces show that this is the reason)
{"error_description": "OpenID Connect client returned with status: SEND_401","error": 401}
CWWKS1708E: The OpenID Connect client [CLIENT ID] is unable to contact the OpenID Connect provider at [https://company.com/oauth2/v1/token] to receive an ID token due to [Failed to reach endpoint https://company.com/oauth2/v1/token because of the following error: {
"error":"invalid_client"
}].
The text was updated successfully, but these errors were encountered: