Auto renewal of token does not work as expected

Description

Reported by Kees van Ginkel.

In amdatu security  (amdatu-security / org.amdatu.security.authentication.authservice / src / org / amdatu / security / authentication / authservice / rest / AuthenticationResource.java, line 600 :

private boolean isAuthenticated(AuthenticationRealmConfig cfg, TokenProperties tokenProps) {
     if (!tokenProps.isValid())

{           return false;       }

      if (tokenProps.isTokenExpired()
           && cfg.isAutoRenewToken()
           && !tokenLifetimeExtended(tokenProps, cfg.getTokenMaxLifetime()))

{                // Token is expired, but we cannot (or are not allowed to) renew it...            return false;       }

 

The method tokenProps.isValid() is also false if the token is expired, so the next lines are never  executed and the expiration is not refreshed.

to make test easy: change values in org.amdatu.security.tokenprovider.jwt.cfg so timeout occurs within 90 seconds after login

allowedClockSkew=30
tokenValidityPeriod=60

Fixed

Assignee

Unassigned

Reporter

R

Labels

None

Priority

Major
Configure