IBM Support

PH21611: OIDC RP MAY ATTEMPT TO REFRESH ACCESS TOKENS THAT ARE NOT EXPIRED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect Relying Party may send refresh requests
    to the OpenID provider for access tokens that are not expired.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OIDC                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP may send refresh requests   *
    *                      to                                      *
    *                      the OP for access tokens that are not   *
    *                      expired.                                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) may send more than one refresh request for
    an expired access token.  The first request will refresh the
    access token, then, on each subsequent refresh request, the
    access token is not expired.
    The same behavior can be observed with the
    OidcClientHelper.getValidAccessToken() method.
    

Problem conclusion

  • This condition can happen when there are many requests coming
    into the TAI for the same session at the same time.
    
    The OIDC TAI is updated so that the refresh of the access token
    is synchronized with its SessionData object.  Only one refresh
    can happen at a time, therefore a refresh will not happen on an
    unexpired access token.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH21611

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-01-30

  • Closed date

    2020-04-09

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
27 August 2021