PH62864: An OAuth 2.0 access token with a lifetime of less than 1 second can be sent to an API endpoint.

APAR status

• Closed as unreproducible in next release.

Error description

• The z/OS Connect product documentation for API requester OAuth
  2.0 support states that when an access token is retrieved from
  the cache, if the access token is expired or has less than a
  one-second lifetime left, a new token is obtained.
  In some cases, an OAuth 2.0 access token is sent to an API
  endpoint with a lifetime of less than 1 second.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of z/OS Connect V3.0 OpenAPI 2 and *
  *                 OpenAPI 3 API requesters with OAuth 2.0      *
  *                 tokens.                                      *
  ****************************************************************
  * PROBLEM DESCRIPTION: An OAuth 2.0 access token with a        *
  *                      lifetime of less than 1 second can be   *
  *                      sent to an API endpoint.                *
  ****************************************************************
  The calculation of the remaining lifetime of an OAuth 2.0 token
  did not always ensure that the token sent to the API endpoint
  had a remaining lifetime of at least 1 second.
  

Problem conclusion

Temporary fix

Comments

• z/OS Connect has been changed so that OAuth 2.0 tokens sent to
  an API endpoint have a remaining lifetime of at least 1 second
  left.
  
  The fix for this APAR is expected to be delivered by the PTFs
  for z/OS Connect V3.0.85.0 (PH62827).
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  Z/OS CONNECT EE

• Fixed component ID

  5655CE300

Applicable component levels