Fixes are available
PH13175: OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
When using the OpenId Connect (OIDC) Relying Party Trust Association Interceptor (TAI) on WebSphere Application Server, it is possible that the refresh and access tokens for a logged-in user do not get revoked when the user's session is evicted from the cache.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI does not revoke the * * tokens associated with a session when * * it is evicted from the cache. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** In the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), if a revoke endpoint url is configured, when a user logs out, the tokens associated with the session are revoked. However, if the session is evicted from the cache for any reason, such as the session expired or the cache is full, the tokens will not be revoked. This behavior may cause problems for some administrators.
Problem conclusion
The OIDC TAI is updated so that it can revoke tokens when a session is evicted from the cache. A new OIDC TAI custom property is added: provider_<id>.revokeTokensOnCacheEviction The valid values are true and false (default). When the provider_<id>.revokeTokensOnCacheEviction property is set to true and the provider_<id>.revokeEndpointUrl property is set to a value, when the session data is evicted from the cache for any reason, the tokens in the session data will be revoked. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.16 and 9.0.5.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH13175
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-06-10
Closed date
2019-06-19
Last modified date
2019-06-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
28 April 2022