A bug was discovered in UAA which affects customers who create tokens with long expiry keeping them alive passed January 2038. If you do this, then when querying the UAA to exchange that refresh token for an access token, you will receive HTTP 500 back.

You will see an error in logs:

2021-01-19 23:49:02.587] uaa - 15 [https-jsse-nio-8443-exec-8] .... ERROR --- UaaTokenEndpoint: Handling error: ClassCastException, null
java.lang.ClassCastException: null

This indicates a type casting bug where if you set the expiry date too far into the future, it has to try and cast a long into an int, which then causes UAA to crash.

Product Version: 2.10

The workaround is to not create tokens with expiry passed 2037. A patch to UAA in Tanzu Application Service (TAS) for VMs is currently in development.

The default expiration for access and refresh tokens is 12 hours and 30 days respectively. For this issue to occur, an operator would need to override accessTokenValiditySeconds or refreshTokenValiditySeconds.

You can run the command uaac context to check the expires_in time of a token to see if it affected by this issue.