IBM Support

PH25697: OIDC RP SESSIONCACHETIMEOUTMINUTES=0 IS NOT OVERRIDING IDTOKEN EXP CLAIM

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When the provider_<id>.sessionCacheTimeoutMinutes OIDC TAI
    property is set to zero (0), the exp claim of the idToken
    should not be used when determining lifetime of the OIDC
    session data in the session cache.  However, when
    sessionCacheTimeoutMinutes=0, the idToken exp claim is still
    used.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC sessionCacheTimeoutMinutes     *
    *                      property does not behave as expected    *
    *                      when set to 0.                          *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When the value for the OpenID Connect (OIDC) trust association
    interceptor (TAI) provider_<id>.sessionCacheTimeoutMinutes
    property is set to 0, the exp claim of the idToken is still
    used to determine the lifetime of session cache entries.
    

Problem conclusion

  • In order for the OIDC TAI to allow the
    provider_<id>.sessionCacheTimeoutMinutes property to be set to
    0, the TAI must be using DynaCache for the session cache, not
    local caching.  At the time the value for the
    sessionCacheTimeoutMinutes is evaluated, the status of the
    DynaCache feature always reports that it is not active,
    therefore the TAI will not allow the property to be set to 0.
    
    To ensure that the availability of DynaCache is reliable at
    the time of the evaluation of the
    provider_<id>.sessionCacheTimeoutMinutes property, the OIDC TAI
    is updated so that the value for the property is evaluated
    when the TAI initializes its DynaCache objects.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.5. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH25697

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-05-22

  • Closed date

    2020-06-30

  • Last modified date

    2020-06-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021