search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
727 stars 713 forks source link

WSO2 Identity Server as Key Manager (wso2is-5.11.0) - Refresh Token Renews with Every Token Request Irrespective of Expiry Time #20514

Open LilanJay opened 4 weeks ago

LilanJay commented 4 weeks ago

Describe the issue: I have integrated wso2is-5.11.0 as the key manager for wso2am-4.1.0 according to the official documentation.

https://apim.docs.wso2.com/en/4.1.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/

I created an application and generated the client credentials and also enabling the refresh token using the checkbox from the API Manager's devportal. I also set the refresh token expiry time to 14 days. Thereafter, when I invoked the token endpoint using the password grant type, the refresh token gets renewed on each token request. However, I noticed that if I set the token type to default instead of JWT from the IS console, there's no issue. It seems as if the refresh token has got bound with the the JWT token and gets renewed with every new JWT token.

How to reproduce:

  1. Download wso2am-4.1.0.
  2. Download wso2is-5.11.0.
  3. Setup the wso2am-4.1.0 and wso2is-5.11.0 as a the key manager to the wso2am-4.1.0 following the steps mentioned in the documentation. https://apim.docs.wso2.com/en/4.1.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/
  4. Set the refresh token expiry to 14 days in the deployment.toml of the wso2is-5.11.0. [oauth.token_validation] refresh_token_validity= "14d"
  5. Log into the devportal of the wso2am-4.1.0 and create an application and generate the client credentials.
  6. Tick the checkbox near refresh token and password to enable the refresh token generation.
  7. Invoke the token endpoint multiple times using the password grant type, passing the necessary parameters.

Expected behavior: The refresh token should remain the same in each token response until 14 days for the same client credentials, username and password.

Environment information (Please complete the following information; remove any unnecessary fields) :