From 8f337dba9cfe74430c9becdf487df6f272943f94 Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Wed, 31 Jul 2024 16:33:13 +0300 Subject: [PATCH] fix(oxauth): corrected race condition during refresh token usage (4.5.5) https://github.com/GluuFederation/oxAuth/issues/1909 --- .../gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java index 69098eb15..beb0b26e6 100644 --- a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java +++ b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java @@ -582,13 +582,20 @@ private TokenLdap lockRefreshToken(String refreshTokenCode) { return null; } + final String lockKey = token.getAttributes().getAttributes().get("lockKey"); + if (StringUtils.isNotBlank(lockKey) && !NODE_ID.equals(lockKey)) { + log.trace("Refresh token is already locked. Refresh Token {}, lockKey {}", refreshTokenCode, NODE_ID); + return null; + } + refreshTokenLocalLock.put(refreshTokenCode, token); + log.trace("Trying to lock refresh token ... refresh token {}, lockKey {}", refreshTokenCode, NODE_ID); token.getAttributes().getAttributes().put("lockKey", NODE_ID); grantService.mergeSilently(token); final TokenLdap tokenFromDb = grantService.getGrantByCode(refreshTokenCode); if (NODE_ID.equals(tokenFromDb.getAttributes().getAttributes().get("lockKey"))) { - log.trace("Successfully locked refresh token {}, attempt {}", refreshTokenCode, attempt); + log.trace("Successfully locked refresh token {}, attempt {}, lockKey {}", refreshTokenCode, attempt, NODE_ID); return token; }