[cas-user] Problem with expiration policy time to live while trying to activate oidc server capacity on cas 6.1.5

Wed, 06 May 2020 14:57:25 -0700 

Hello,

we have a cas 6.1.5 instance and we are trying the oidc server feature. We 
have configured a "hello world" style service for the poc in the service 
registry.
So far, when we request the service, we are redirected to the login page. 
Once logged in, the oidc attribute release authorisation page is displayed, 
and if we click on "authorise" we have a 500 error.

We have tracked the error to the class 
: OidcImplicitIdTokenAndTokenAuthorizationResponseBuilder

        val idToken = 
this.idTokenGenerator.generate(context.getNativeRequest(),
            context.getNativeResponse(), accessToken, 
idTokenExpirationPolicy.buildTicketExpirationPolicy().getTimeToLive(),
            OAuth20ResponseTypes.IDTOKEN_TOKEN, 
holder.getRegisteredService());


this part is problematic 

idTokenExpirationPolicy.buildTicketExpirationPolicy().getTimeToLive()


the expiration policy returned is a TimeoutExpirationPolicy and the code 
for the method getTimeToLive is :

    public Long getTimeToLive() {
        return Long.MAX_VALUE;
    }


Which is quite big.

When the value is user in the class : OidcIdTokenGeneratorService

        expirationDate.addSeconds(timeoutInSeconds);

The following error is thrown :

java.lang.ArithmeticException: long overflow adding: 1588800927 + 
9223372036854775807 = -9223372035265974882
        at org.jose4j.lang.Maths.add(Maths.java:13) ~[jose4j-0.7.0.jar!/:?]
        at org.jose4j.jwt.NumericDate.addSeconds(NumericDate.java:61) 
~[jose4j-0.7.0.jar!/:?]
        at 
org.apereo.cas.oidc.token.OidcIdTokenGeneratorService.buildJwtClaims(OidcIdTokenGeneratorService.java:103)
 
~[cas-server-support-oidc-core-api-6.1.5.jar!/:6.1.5]



Has anyone encountered this problem ?
is the expiration policy of these tokens related to the configuration of 
the expiration policy for the tgts ?
should we user getTimeToKill instead of gettimetolive ?

Thank you !

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/81ac227f-f597-44cc-920a-184f453a15be%40apereo.org.

Reply via email to