IBM Support

PH13175: TOKENS ARE NOT REVOKED WHEN SESSIONS ARE EVICTED FROM THE CACHE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using the OpenId Connect (OIDC) Relying Party Trust
    Association Interceptor (TAI) on WebSphere Application Server,
    it is possible that the refresh and access tokens for a
    logged-in user do not get revoked when the user's session is
    evicted from the cache.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI does not revoke the        *
    *                      tokens associated with a session when   *
    *                      it is evicted from the cache.           *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    In the OpenID Connect (OIDC) Relying Party (RP) Trust
    Association Interceptor (TAI), if a revoke endpoint url is
    configured, when a user logs out, the tokens associated with
    the session are revoked.
    However, if the session is evicted from the cache for any
    reason, such as the session expired or the cache is full, the
    tokens will not be revoked.  This behavior may cause problems
    for some administrators.
    

Problem conclusion

  • The OIDC TAI is updated so that it can revoke tokens when a
    session is evicted from the cache.
    
    A new OIDC TAI custom property is added:
    provider_<id>.revokeTokensOnCacheEviction
    
    The valid values are true and false (default).
    
    When the provider_<id>.revokeTokensOnCacheEviction property is
    set to true and the provider_<id>.revokeEndpointUrl
    property is set to a value, when the session data is evicted
    from the cache for any reason, the tokens in the session data
    will be revoked.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.16 and 9.0.5.1.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH13175

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-06-10

  • Closed date

    2019-06-19

  • Last modified date

    2019-06-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 November 2021