IBM Support

PI80963: Refresh tokens are issued unconditionally even for clients that do not require them

Fixes are available

17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Currently Liberty OIDC Provider always return refresh token
    in
    authorization code and password grant types. We want Liberty
    code to check the refresh_token grant type, if that grant
    type
    is set then return refresh tokens, otherwise skip the
    refresh
    tokens. Currently for clients do not need refresh token
    Liberty
    still issues refresh tokens that causes large amount of
    unused
    refresh tokens in the cache table, resulted in system
    performance degradation and instability.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Applicatoin      *
    *                  Server Liberty - Oauth Provider Feature     *
    ****************************************************************
    * PROBLEM DESCRIPTION: Refresh tokens are issued               *
    *                      unconditionally even for clients that   *
    *                      do not require them.                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Refresh tokens are issued unconditionally, this can lead to
    resource problems if a large number of useless tokens have to be
    tracked by the server.
    

Problem conclusion

  • Code is updated so issuing of refresh tokens to clients can be
    disabled in one of two ways.
    1) To disable issuing of refresh tokens for all clients, in
    server.xml add issueRefreshToken="false" as documented here:
    https://www.ibm.com/support/knowledgecenter/was_beta_liberty/com
    .ibm.websphere.liberty.autogen.beta.doc/ae/rwlp_config_oauthProv
    ider.html
    
    or
    2) To disable issuing of refresh tokens for only some clients,
    specify a client grantTypes attribute that does not include
    refresh_token, for example:
    grantTypes="authorization_code, implicit, client_credentials,
    password, urn:ietf:params:oauth:grant-type:jwt-bearer"
    as documented here:
    https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.i
    bm.websphere.liberty.autogen.nd.doc/ae/rwlp_config_oauthProvider
    .html#localStore__client__grantTypes
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 8.5.5.8  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI80963

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-05-03

  • Closed date

    2017-07-26

  • Last modified date

    2017-07-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
19 October 2021