Fixes are available
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
The Openid Connect (OIDC) Relying Party (RP) monitors the expiration time of id_tokens retrieved during the login process. When an id_token has expired, the user's authentication to WAS is considered to be expired as well. This behavior is currently not configurable
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect Relying Party * **************************************************************** * PROBLEM DESCRIPTION: Sessions for users authenticated with * * OIDC expire at time of exp claim in * * ID token * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The sessions for users that were authenticated into WebSphere using the OpenID Connect (OIDC) Relying Party (RP) Trust Assocation Interceptor (TAI) will expire at the time of the exp claim of the ID token associated with the session. This behavior is not configurable. WebSphere administrators may want the user's sessions to persist longer than than the exp claim in the ID token.
Problem conclusion
When the OIDC RP inserts SessionData objects into DynaCache, the time given for eviction of the object from the cache is the value for the exp claim in the associated ID token. The runtime is updated to allow the eviction of the SessionData objects from the cache to not be based on the exp claim in the ID token. The following OIDC TAI custom property is added: provider_<id>.sessionCacheTimeoutMinutes, default=120 The time, in minutes, that a session associated with an ID token may remain in the session cache. By default, a session will be removed from the cache based on at least four things, in priority order: 1) logout, 2) (ID token expiration -or time out), 3) failure to refresh an access token, and 4) cache eviction policy. Setting this property will override the value for the ID token expiration for session caching purposes. If this property is set to [0], only the other three conditions will be used for removing sessions from the session cache. The expiration of ID token is provided on the [exp] claim. The minimum value for this property is [0] and the maximum value is [43200]. If this property is not set to a value in the configuration and there is no expiration in the ID token, the default time out is [120] minutes. When the dynacache service is not available, the setting will be ignored if this property is set to [0] because the local cache has no eviction policy. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.15 and 9.0.0.10. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH00569
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-07-16
Closed date
2018-10-15
Last modified date
2018-10-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
28 April 2022