2 Replies Latest reply on Aug 30, 2018 12:17 PM by Erik Raetz

    18.2.0.r1831332 - security.oauth.tokenLifetime value of 3600 increased by a factor of 1000 leading to tokens that last 41 days!

    Erik Raetz

      We updated to the latest ORDS for a new project.


      select ords.installed_version from dual;



      We are experiencing a really wierd issue with oauth token lifetime. This is the value from the defaults.xml


      <entry key="security.oauth.tokenLifetime">3600</entry>


      OAuth Clients are registered for client_credential flow and privileges are given to said clients via roles.


      oauth.create_client(p_name => 'oauth clientname', p_grant_type => 'client_credentials', p_privilege_names => NULL, p_support_email => 'email_address');

      oauth.grant_client_role('oauth clientname', 'clientrole');


      This is the token request:


      curl -X POST \

        {ORDS_PATH}/oauth/token \

        -H 'Authorization: Basic {OAUTH_CLIENT}' \

        -H 'Cache-Control: no-cache' \

        -H 'Content-Type: application/x-www-form-urlencoded' \

        -d grant_type=client_credentials


      This is the response:



          "access_token": "{OAUTH_TOKEN}",

          "token_type": "bearer",

          "expires_in": 3600000



      First we thought that number just got changed from seconds to miliseconds.

      To our suprise it is not the case. Tokens we register last for over 41 days.


      We tried to change the config file and whatever we enter it gets multiplied by a factor of 1000.


      Does anyone have an idea what is causing this?


      Is the new intended approach to register 1 hour long tokens to enter the following?


      <entry key="security.oauth.tokenLifetime">3.6</entry>