Refresh token have a negative exp claim because TokenManager is vulnerable to integer overflow for long lasting sessions (YEAR 2038 bug) #19671
Description
Before reporting an issue
- I have searched existing issues
- I have reproduced the issue with the latest release
Area
oidc
Describe the bug
Refresh tokens (access tokens probably also impacted) are generated with a negative expiry timestamp when the SSO session max length is set to a big value (several years).
The bug is located here in TokenManager class.
int sessionExpires = userSession.getStarted()
+ (userSession.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0
? realm.getSsoSessionMaxLifespanRememberMe()
: realm.getSsoSessionMaxLifespan());
expiration = expiration <= sessionExpires ? expiration : sessionExpires;
This is known as year 2038 issue. https://en.wikipedia.org/wiki/Year_2038_problem
Version
21.0.2
Expected behavior
The expiry of the token is properly set.
Actual behavior
The expiry of the token is set in the past.
How to Reproduce?
Set a very long value for SSO max session and get a refresh token, for example 5400 days.
Anything else?
No response