A fix is available
APAR status
Closed as program error.
Error description
When using JWT authentication with the OpenID Connect (OIDC) TAI, after the first login, each subsequent login that uses the same JWT should be faster, but they are not. This assumes that includeCustomCacheKeyInSubject=true (default)
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: JWT Authentication using the OIDC TAI * * may * * be slow when using a custom cache key. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains * * this APAR. * **************************************************************** When the OIDC TAI is performing JWT authentication and is configured use custom cache keys, subsequent logins with the same JWT take as long as the initial login. When using JWT authentication with the OpenID Connect (OIDC) TAI, the SessionData object is not stored in dynacache. If the SessionData object is not stored in dynacache, a new SessionData object is created for each login. If a new SessionData object is created for each login, a different index is used for each login. Therefore a new cache key will be calculated for each login.
Problem conclusion
When a custom cache key is used, if core security cannot find th key that we produce in the cache, a re-login is triggered. The OIDC TAI's method for calculating the cache key for JWT Authentication is producing a different cache key for the same JWT each time it used. The OIDC TAI is updated so that it will produce the same cache key for the same JWT each time it is used. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH33170
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-01-08
Closed date
2021-04-07
Last modified date
2021-04-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021