IBM Support

PH00569: OPENID CONNECT RELYING PARTY HANDLING OF ID_TOKEN EXPIRY IS NOT CONFIGURABLE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The Openid Connect (OIDC) Relying Party (RP) monitors the
    expiration time of id_tokens retrieved during the login
    process. When an id_token has expired, the user's
    authentication to WAS is considered to be expired as well. This
    behavior is currently not configurable
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect Relying Party                *
    ****************************************************************
    * PROBLEM DESCRIPTION: Sessions for users authenticated with   *
    *                      OIDC expire at time of exp claim in     *
    *                      ID token                                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The sessions for users that were authenticated into WebSphere
    using the OpenID Connect (OIDC) Relying Party (RP) Trust
    Assocation Interceptor (TAI) will expire at the time of the
    exp claim of the ID token associated with the session.  This
    behavior is not configurable.  WebSphere administrators may
    want the user's sessions to persist longer than than the exp
    claim in the ID token.
    

Problem conclusion

  • When the OIDC RP inserts SessionData objects into DynaCache,
    the time given for eviction of the object from the cache is
    the value for the exp claim in the associated ID token.
    
    The runtime is updated to allow the eviction of the
    SessionData objects from the cache to not be based on the exp
    claim in the ID token.
    
    The following OIDC TAI custom property is added:
    
    provider_<id>.sessionCacheTimeoutMinutes, default=120
    
    The time, in minutes, that a session associated with an ID
    token may remain in the session cache.  By default, a session
    will be removed from the cache based on at least four things,
    in priority order: 1) logout, 2) (ID token expiration -or time
    out), 3) failure to refresh an access token, and 4) cache
    eviction policy.  Setting this property will override the
    value for the ID token expiration for session caching
    purposes.  If this property is set to [0], only the other
    three conditions will be used for removing sessions from the
    session cache.  The expiration of ID token is provided on the
    [exp] claim.  The minimum value for this property is
    [0] and the maximum value is [43200]. If this property is not
    set to a value in the configuration and there is no expiration
    in the ID token, the default time out is [120] minutes.
    
    When the dynacache service is not available, the setting will
    be ignored if this property is set to [0] because the local
    cache has no eviction policy.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.15 and 9.0.0.10.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH00569

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-07-16

  • Closed date

    2018-10-15

  • Last modified date

    2018-10-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 October 2021