OAuth2 Token Invalid

book

Article ID: 131492

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

The access token was retrieved at 23-04-2019 22:07:57 and used at 23-04-2019 22:10:46. However, an error was received stating the following 2019-04-23T22:10:47.566+0800 INFO 962 com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: error: invalid_request, error_description: Access token does not exist (expired, revoked, replaced, unknown, ...).
This issue occurred intermittently at an average of once per day.

Cause

When there are 2 nodes, and each node connect to local otk database, and there will be delay even replication is running fine, and the oauth flow has multiple steps, the whole session might call the oauth endpoint on different node, therefore, the access token generated at one node, might not be found in the otk database on another node, and then it fails with error "Access token does not exist" 

Environment

There are 2 gateway nodes in the cluster and the otk jdbc connection url is set as,
jdbc:mysql:localhost:3306/otk_db

Resolution

specify hostname instead of localhost in otk jdbc connection

If want to configure failover, the jdbc url can be,
jdbc:mysql://<DB host 1>:3306,<DB host 2>:3306/otk_db?failOverReadOnly=false&autoReconnect=true&connectTimeout=100