IBM Support

PH39847: OIDC RP: ENTRY IS NEVER REMOVED FROM CACHE WHEN INITIAL LOGIN IS VIA INTROSPECTION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OIDC session cache timeout is not set properly when initial
    login is via introspection.  When OIDC initial login is via
    introspection, its session cache entry is never removed from
    the cache.
    
    The session cache timeout should the value for the
    provider_(id).sessionCacheTimeoutMinutes property, or the
    access token timeout if the
    provider_(id).sessionCacheTimeoutMinutes property is not
    specified.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server and the    *
    *                  OIDC                                        *
    *                  TAI                                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: When OIDC RP initial login is via       *
    *                      introspection, its session cache entry  *
    *                      is                                      *
    *                      never removed from the cache            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix for this  *
    *                  APAR                                        *
    ****************************************************************
    The OIDC relying party (RP) session cache timeout is not set
    properly when initial login is via introspection.  When initial
    login is via introspection, its session cache entry is never
    removed from the cache.
    

Problem conclusion

  • When the OIDC RP initial login is via introspection, the session
    cache timeout is always being set to zero and therefore the
    entry never expires and is never removed from the cache.
    
    The OIDC RP Trust Association Interceptor (TAI) is updated so
    that the session cache timeout is set properly when initial logi
    is via introspection.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.21 and 9.0.5.10.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH39847

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-08-13

  • Closed date

    2021-09-07

  • Last modified date

    2021-09-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 December 2021