"Invalid Access Token. Access token is not ACTIVE" for session termination if token encryption is enabled #11097
Description
Describe the issue:
When token encryption is enabled, getAccessTokenByTokenId() method does not returned the plain token value resulting in a bad token lookup.
Which causes the following error when session termination, during these flows:
- Log in to the myaccount and try to terminate sessions.
- Create a user via console. Let that user to login to the myaccount in the same browser. Try to delete that user from console.
- Try to rest the password of a user, when that user is loggined into myaccount in another browser.
ERROR {org.wso2.carbon.identity.api.dispatcher.DefaultExceptionMapper} - Server encountered an error while serving the request. java.lang.IllegalArgumentException: Invalid Access Token. Access token is not ACTIVE.
at org.wso2.carbon.identity.oauth2.util.OAuth2Util.getAccessTokenDOFromTokenIdentifier(OAuth2Util.java:1601)
at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.revokeTokensMappedToSession(TokenBindingExpiryEventHandler.java:295)
at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.revokeAccessTokensMappedForSessions(TokenBindingExpiryEventHandler.java:125)
at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.handleEvent(TokenBindingExpiryEventHandler.java:86)
at org.wso2.carbon.identity.event.services.IdentityEventServiceImpl.handleEvent(IdentityEventServiceImpl.java:56)
at org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy.doPublishEvent(AuthnDataPublisherProxy.java:245)
at org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy.publishSessionTermination(AuthnDataPublisherProxy.java:211)
at org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils.publishSessionEvent(FrameworkUtils.java:1848)
at org.wso2.carbon.identity.application.authentication.framework.internal.impl.ServerSessionManagementServiceImpl.terminateSession(ServerSessionManagementServiceImpl.java:67)
at org.wso2.carbon.identity.application.authentication.framework.internal.impl.ServerSessionManagementServiceImpl.removeSession(ServerSessionManagementServiceImpl.java:47)
at org.wso2.carbon.identity.application.authentication.framework.services.SessionManagementService.removeSession(SessionManagementService.java:40)
at org.wso2.carbon.identity.application.authentication.framework.internal.impl.UserSessionManagementServiceImpl.terminateSessionsOfUser(UserSessionManagementServiceImpl.java:155)
at org.wso2.carbon.identity.application.authentication.framework.internal.impl.UserSessionManagementServiceImpl.terminateSessionsByUserId(UserSessionManagementServiceImpl.java:212)
at org.wso2.carbon.identity.rest.api.user.session.v1.core.SessionManagementService.terminateSessionsByUserId(SessionManagementService.java:164)
at org.wso2.carbon.identity.rest.api.user.session.v1.core.SessionManagementService.terminateSessionsByUserId(SessionManagementService.java:96)
at org.wso2.carbon.identity.rest.api.user.session.v1.impl.MeApiServiceImpl.terminateSessionsByLoggedInUser(MeApiServiceImpl.java:63)
at org.wso2.carbon.identity.rest.api.user.session.v1.MeApi.terminateSessionsByLoggedInUser(MeApi.java:113)
How to reproduce:
Enable token encryption by adding the following config into the deployment.toml file.
[oauth.extensions]
token_persistence_processor = "org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor"
- Log in to the myaccount and try to terminate sessions.
- Create a user via console. Let that user to login to the myaccount in the same browser. Try to delete that user from console.
- Try to rest the password of a user, when that user is loggined into myaccount in another browser.
Expected behavior:
Terminate user sessions without any issue.
Environment information (Please complete the following information; remove any unnecessary fields) :
- Product Version: IS 5.12.0-m7
- OS: Linux
- Database: H2
- Userstore: LDAP