IBM Support

PH33170: OIDC JWT AUTHENTICATION USING CUSTOM CACHE KEY CAN BE SLOW

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When using JWT authentication with the OpenID Connect (OIDC)
    TAI, after the first login, each subsequent login that uses
    the same JWT should be faster, but they are not.
    
    This assumes that includeCustomCacheKeyInSubject=true
    (default)
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: JWT Authentication using the OIDC TAI   *
    *                      may                                     *
    *                      be slow when using a custom cache key.  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    When the OIDC TAI is performing JWT authentication and is
    configured use custom cache keys, subsequent logins with the
    same
    JWT take as long as the initial login.
    When using JWT authentication with the OpenID Connect (OIDC)
    TAI, the SessionData object is not stored in dynacache. If the
    SessionData object is not stored in dynacache, a new
    SessionData object is created for each login. If a new
    SessionData object is created for each login, a different index
    is used for each login. Therefore a new cache key will be
    calculated for each login.
    

Problem conclusion

  • When a custom cache key is used, if core security cannot find th
    key that we produce in the cache, a re-login is triggered.
    
    The OIDC TAI's method for calculating the cache key for JWT
    Authentication is producing a different cache key for the same
    JWT each time it used.
    
    The OIDC TAI is updated so that it will produce the same cache
    key for the same JWT each time it is used.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH33170

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-01-08

  • Closed date

    2021-04-07

  • Last modified date

    2021-04-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
08 April 2021