Userapplication Timeout issue

Hi,

We run userapplication 3.8.7 at a client in a docker cluster enviroment and we are having some issues with sessions beeing broken - forcing the user to login several times in a short period.

We see this in catalina.out : 

09:37:59.247 [https-jsse-nio-18543-exec-40] DEBUG com.netiq.idmdash.context.RefreshTokenServlet - [IDMDASH] OSP exception: access_denied:revtoken:Refresh token has been revoked.
09:37:59.247 [https-jsse-nio-18543-exec-40] DEBUG com.netiq.idmdash.context.RefreshTokenServlet - [IDMDASH] Refresh token has been revoked.
com.netiq.idmdash.oauth.exception.InvalidCredentialsException: Refresh token has been revoked.
        at com.netiq.idmdash.context.RefreshTokenServlet.handleRequestError(RefreshTokenServlet.java:417) ~[classes/:?]
        at com.netiq.idmdash.context.RefreshTokenServlet.getAccessTokenInfo(RefreshTokenServlet.java:381) ~[classes/:?]
        at com.netiq.idmdash.context.RefreshTokenServlet.doGet(RefreshTokenServlet.java:191) ~[classes/:?]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:529) ~[servlet-api.jar:4.0.FR]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) ~[servlet-api.jar:4.0.FR]
etc..

Does anyone have any ideas on what we can try?

The issue seems to be isolated to one of the servers (the error shown above is only seen in catalina.out on one of the servers)

(ism-configuration.propperties is equal on both servers)

Parents
  • Verified Answer

    +1  

    Do you run OSP alongside IdentityApps on your cluster hosts? Do you have the same OSP keystore everywhere?

    Are all your hosts using the same eDirectory without a loadbalancer in front? Refresh tokens are stored in the users' oidpInstanceData attribute. Therefore replication delays can cause these issues if you're using different eDirectory instances.
    Clearing oidpInstanceData (e.g. because it grew to large) will also revoke all refresh tokens.

Reply
  • Verified Answer

    +1  

    Do you run OSP alongside IdentityApps on your cluster hosts? Do you have the same OSP keystore everywhere?

    Are all your hosts using the same eDirectory without a loadbalancer in front? Refresh tokens are stored in the users' oidpInstanceData attribute. Therefore replication delays can cause these issues if you're using different eDirectory instances.
    Clearing oidpInstanceData (e.g. because it grew to large) will also revoke all refresh tokens.

Children