+
Skip to content

Parallel token exchange fails if client session is expired #41427

New issue
New issue
Closed
#41548
Closed
Parallel token exchange fails if client session is expired#41427
#41548
Assignees
ahus1
Labels
area/storageIndicates an issue that touches storage (change in data layout or data manipulation)area/token-exchangekind/bugCategorizes a PR related to a bugpriority/normalrelease/26.2.9release/26.3.4release/26.4.0team/sre
@lbilger

Description

@lbilger
lbilger
opened on Jul 25, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

I have experienced this in token-exchange:v1, but I think other areas might also be affected.
When exchanging a token from client-A into one from client-B, if there is an existing client session for client-B in the database and this session is expired, the ClientSessionPersistentChangelogBasedTransaction.getSessionEntityFromPersister will try to remove the existing session from the database. If the same token exchange is called twice in parallel, there is a high probability that one of them will fail with a StaleObjectStateException because the other one has already deleted the session.

I believe this failure can be avoided, the exception can just be ignored if the session has already been deleted from the database.

It does not matter if both calls end up on the same server (in a clustered environment) or not.

Tested in RHBK 26.2.5 and upstream 26.3.2 (both latest at the time of writing).

Version

RHBK 26.2.5, 26.3.2

Regression

  • The issue is a regression

Expected behavior

All token exchanges succeed

Actual behavior

one of the exchanges fails with HTTP 500

How to Reproduce?

For local testing, I reduced the client session timeouts to 30s idle / 1m max and ran the following script a couple of times with >30s pause in between:

#!/usr/bin/env bash

token="$(<get token for client-A>)"

curl -X POST -sS --location "http://localhost:8080/auth/realms/<realm>/protocol/openid-connect/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'client_id=client-B&client_secret=client-B-secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&subject_token='"$token" -i > curl1.txt &
curl -X POST -sS --location "http://localhost:8080/auth/realms/<realm>/protocol/openid-connect/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'client_id=client-B&client_secret=client-B-secret&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&subject_token='"$token" -i > curl2.txt &

wait

cat curl*.txt

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/storageIndicates an issue that touches storage (change in data layout or data manipulation)area/token-exchangekind/bugCategorizes a PR related to a bugpriority/normalrelease/26.2.9release/26.3.4release/26.4.0team/sre

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载