Fixes are available
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
When logging out from the OIDC RP, the user can only be logged out from the device which initiates the login and has an OIDC session cookie. If the user has access to a resource by the OIDC TAI by virtue of an access token in the Authorization header in the HTTP request, if the user logs out, the OIDC TAI will not perform its logout.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server of the * * OpenId Connect Relying Party * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP is unable to perform a * * logout if the OIDC session cookie is * * not present * **************************************************************** * RECOMMENDATION: * * Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect (OIDC) Relying Party (RP) TAI is unable to perform a logout if the OIDC session cookie is not present on the HTTP request. The OIDC TAI can detect existing credentials using various means, one of which is the OIDC session cookie. If the session credentials are being maintained by an access token in the Authentication header of the HTTP request instead of the OIDC cookie, when an HTTP logout is performed, the user will not be logged out.
Problem conclusion
When the HTTP logout API is invoked, the OIDC TAI is only inspecting the OIDC session cookie to find the data to remove from the OIDC session cache. If the OIDC session cookie is not present on the HTTP request which is performing the logout, the user will not be logged out. The OIDC TAI is updated so that it can logout using either the OIDC session cookie, the access token in the Authentication header of the HTTP request, or both. * By default, the TAI will remove credentials from the OIDC session cache using the OIDC session cookie. * If the OIDC session cookie does not exist, credentials will be removed from the OIDC session cache using the access token in the Authentication token in the header of the HTTP request, if it exists. * If you set the alwaysInvalidateAccessTokenOnLogout OIDC TAI custom property to true, the OIDC TAI will remove data from the OIDC session cache using data from both the OIDC session cookie and the access token in the Authentication header of the HTTP request. If there is an OIDC session cookie on the request, the user will be accessing the protected resource using the credentials based on the initial login to the OP. Usually, if there is an access token on the HTTP header, it will be same as the one associated with the cookie. However, if, for some reason, the access token in the HTTP header is not the same as the one associated with the OIDC session cookie, it is possible to do a logout with the cookie then still have access to the resource based on the access token in the HTTP header. This may or may not be intended. The purpose of the alwaysInvalidateAccessTokenOnLogout is to allow the administrator decide the desired logout scheme. The following OIDC TAI custom property is added: ============== alwaysInvalidateAccessTokenOnLogout values: true/false (default) description: By default, when a logout is performed, if an OIDC session cookie is present on a request, the logout is performed using only the information associated with the OIDC session cookie. If there is no OIDC session cookie, then the logout is performed using the access token in the Authorization header of the request. If this property is set to true, the logout will be performed using information from both the OIDC session cookie and the Authorization header of the request, if they exist. ============== The TAI does not make a request to the OP to revoke the token. The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.15, 8.5.5.13 and 9.0.0.6. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI87354
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-09-14
Closed date
2017-09-18
Last modified date
2017-09-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022