Description
SAMLTokenRenewer#renewToken sets the lifetime attribute of the TokenRenwerResponse to the difference between the NotBefore and NotOnOrAfter attributes of the SAML assertion conditions. Later the TokenRenewOperation#createREsponse method creates a Lifetime using the current timestamp as the Created value and the current timestamp plus the previously calculated difference as the Expires.
In cases where the NotBefore of the SAML assertion conditions is not the current time this results in an incorrect lifetime in the response from the renew operation. For example, if the NotBefore is a few minutes in the past to work around systems with clock differences then the lifetime in the response will claim the token expires a few minutes before it actually does.
This seems to cause issues with caching of tokens on the client side (STSClient) as the token will be cached for a period shorter than it should be.
Attachments
Issue Links
- relates to
-
CXF-3932 RSTR Lifetime element sets current time in Created element
-
- Closed
-