WSO2IS access token always invalid

Question

I've built a simple webapplication using Spark and pac4j. It is supposed to authenticate users with WSO2 Identity Server 5.0.0, using the OAuth 2 "Authorization Code Grant".

The OAuth flow seems to work fine, but not completely:

• user is redirected to WSO2 (/oauth2/authorize?response_type=code&client_id=foo&redirect_uri=bar&scope=openid&prompt=consent)
• user identifies with username / password
• user gives consent to exchange claims with my webapplication
• my webapplication exchanges the code it receives for an access token and a refresh token

However, finally pac4j retrieves the user profile (/oauth2/userinfo?schema=openid), using the access token. This always gives me the response

{"error":"invalid_token","error_description":"Access token validation failed"}

And WSO2 logs

TID: [0] [IS] [2018-03-14 16:20:30,446] DEBUG {org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint} - org.wso2.carbon.identity.oauth.endpoint.user.UserInfoEndpointException: Access token validation failed {org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint}

The access token is still present in the IDN_OAUTH2_ACCESS_TOKEN database table:

TIME_CREATED            VALIDITY_PERIOD TOKEN_STATE TOKEN_STATE_ID
------------------------------------------------------------------
2018-03-14 10:40:35.940 3600000         ACTIVE      NONE

I don't understand why WSO2 says my access token is invalid.

Can anyone shed some light on this?

Answer 1

Well, strange as it is... Deleting all access tokens and authorization tokens in the WSO2 database resolved the issue.