IBM Support

PH63252: z/OS Connect only retries requests with a new token if a WWW-Authenticate header containing "invalid_token" is returned.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • RFC 6749 (The OAuth 2.0 Authorization Framework) states that
when a request presents an expired access token, the response
must be returned with an HTTP status code 401 and SHOULD also
return a WWW-Authenticate header containing "invalid_token".

z/OS Connect requires the WWW-Authenticate header containing
"invalid_token" to be returned to retry with a new access token.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of z/OS Connect V3.0 API           *
*                 requesters and OAuth 2.0 access tokens       *
*                 (OpenAPI 2 and OpenAPI 3).                   *
****************************************************************
* PROBLEM DESCRIPTION: z/OS Connect only retries requests with *
*                      a new token if a WWW-Authenticate       *
*                      header containing "invalid_token" is    *
*                      returned.                               *
****************************************************************
z/OS Connect only retries API endpoint requests with a new OAuth
2,0 access token if HTTP status code 401 and a
WWW-Authenticate header containing "invalid_token" are returned.
The specification states the WWW-Authenticate header containing
"invalid_token" should be returned when an expired access token
is presented,

z/OS Connect was coded to require the WWW-Authenticate header
containing "invalid_token" for the request to be retried with a
new access token.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • z/OS Connect has been enhanced to provide a new
zosconnect_oAuthConfig element attribute tokenRetryCheckLevel
which can be set to one of the following values:

1 - Retry the request with a new OAuth2.0 access token if HTTP
    status code 401 is returned.
2 - Not implemented.
3 - Retry the request with a new OAuth2.0 access token if HTTP
    status code 401 and a WWW-Authenticate header containing
    "invalid_token" are returned. (Default value)

The fix for this APAR is expected to be delivered by the PTFs
for z/OS Connect V3.0.93.0 (PH66161).

    



APAR Information




    

  • APAR number
    PH63252
    • 

  • Reported component name
    Z/OS CONNECT EE
    • 

  • Reported component ID
    5655CE300
    • 

  • Reported release
    000
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-09-16
    • 

  • Closed date
    2025-05-02
    • 

  • Last modified date
    2025-05-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    Z/OS CONNECT EE
    • 

  • Fixed component ID
    5655CE300
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSVVFY","label":"z\/OS Connect Enterprise Edition"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"000"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 May 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback