Fixes are available
APAR status
Closed as program error.
Error description
When the provider_<id>.sessionCacheTimeoutMinutes OIDC TAI property is set to zero (0), the exp claim of the idToken should not be used when determining lifetime of the OIDC session data in the session cache. However, when sessionCacheTimeoutMinutes=0, the idToken exp claim is still used.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC sessionCacheTimeoutMinutes * * property does not behave as expected * * when set to 0. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When the value for the OpenID Connect (OIDC) trust association interceptor (TAI) provider_<id>.sessionCacheTimeoutMinutes property is set to 0, the exp claim of the idToken is still used to determine the lifetime of session cache entries.
Problem conclusion
In order for the OIDC TAI to allow the provider_<id>.sessionCacheTimeoutMinutes property to be set to 0, the TAI must be using DynaCache for the session cache, not local caching. At the time the value for the sessionCacheTimeoutMinutes is evaluated, the status of the DynaCache feature always reports that it is not active, therefore the TAI will not allow the property to be set to 0. To ensure that the availability of DynaCache is reliable at the time of the evaluation of the provider_<id>.sessionCacheTimeoutMinutes property, the OIDC TAI is updated so that the value for the property is evaluated when the TAI initializes its DynaCache objects. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH25697
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-05-22
Closed date
2020-06-30
Last modified date
2020-06-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021