IBM Support

PH45044: OIDC RP ADD ABILITY TO TURN OFF REVOKE ENDPOINT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • When the OpenId Connect (OIDC) Trust Association Interceptor
(TAI) is configured to obtain configuration information from a
discovery endpoint, it may include a revoke endpoint.  When a
revoke endpoint is configured, the TAI will always send a
request to the revoke endpoint.  If the administrator does not
want to do this, they must configure the TAI manually instead
of using discovery.

You can disable the userInfo endpoint, but you cannot disable
the revoke endpoint.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OIDC                                        *
****************************************************************
* PROBLEM DESCRIPTION: Add a property to disable the revoke    *
*                      endpoint to the OIDC TAI.               *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
When the OIDC TAI is configured with a revoke endpoint, the TAI
will always call the endpoint when sessions are removed from the
cache.  If an administrator does not want to revoke tokens and
the
property is set with discovery, they are not able to disable the
revoke.

    



Problem conclusion


    

  • The following property is updated to the OIDC TAI:

Name: provider_(id).revokeEndpointEnabled
Values: true/false, default=true
Description:
Set this property to false if you want to ignore the setting for
the provider_(id).revokeEndpointUrl property.  This applies if
the endpoint was obtained either from a TAI property or
discovery.

The fix for this APAR is targeted for inclusion in fix packs
8.5.5.22 and 9.0.5.12. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH45044
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-03-21
    • 

  • Closed date
    2022-03-22
    • 

  • Last modified date
    2022-03-22
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE APP S
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            23 March 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback