IBM Support

PI63058: Add timeout to OAuth cache

Fixes are available

7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
9.0.5.6: WebSphere Application Server traditional Version 9.0.5 Fix Pack 6

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The WebSphere Knowledge Center article titled "Registering
    OAuth clients" states:
    "After creating the client storing files and tables, you can
    directly add, delete, or modify a client.  You can also use
    WebSphere Application Server MBean or programming APIs to
    manage clients."
    
    
    But there are apparently significant caveats that are not
    stated if you directly update clients in the database.  For
    example, if you disable a client (set enabled=0), the client
    will remain valid until the cache entry is removed, which may
    not happen without a server restart.
    
    
    Sometimes it is difficult (and very inconvenient) to use the
    WebSphere MBean to update the OAuth clients.  We want to be
    able to update the database entities directly.
    
    
    It would be very helpful to be able to configure the cache
    entries to have a maximum lifetime (e.g.  one hour) after
    which they would automatically be refreshed from the database,
    or configure the cache to periodically clear itself, or
    disable the cache entirely.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OAuth                                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Clients that have been disabled in      *
    *                      the database after load time can be     *
    *                      returned as valid clients from the      *
    *                      OAuth cache.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    There are conditions where clients in the OAuth cache may
    become stale and should not be used.  A mechanism should be
    set up so that stale clients are less likely to be used.
    

Problem conclusion

  • The OAuth TAI is updated to add a custom property called
    oauth20.client.cache.seconds.  The value for this property is
    the number of seconds that a client can be in the cache after
    it is loaded from the database.
    
    If oauth20.client.cache.seconds is set to 0,  the OAuth TAI
    will not cache any clients.
    
    By default, there is no change in behavior.  To get the new
    behavior, add the following to your OAuth provider
    configuration:
    
    <parameter name="oauth20.client.cache.seconds"
    type="cc"  customizable="true">
        <value>600</value>
    </parameter>
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.43, 8.0.0.14, 8.5.5.12 and 9.0.0.4.  Please
    refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI63058

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-05-25

  • Closed date

    2017-01-31

  • Last modified date

    2017-01-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
14 October 2021