IBM Support

PI87354: OPENID CONNECT (OIDC) RELYING PARTY (RP) DOES NOT LOGOUT USER IF OIDC SESSION COOKIE IS NOT PRESENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When logging out from the OIDC RP, the user can only be logged
    out from the device which initiates the login and has an OIDC
    session cookie.
    
    If the user has access to a resource by the OIDC TAI by virtue
    of an access token in the Authorization header in the HTTP
    request, if the user logs out, the OIDC TAI will not perform
    its logout.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server of the     *
    *                  OpenId Connect Relying Party                *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP is unable to perform a      *
    *                      logout if the OIDC session cookie is    *
    *                      not present                             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    *                  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect (OIDC) Relying Party (RP) TAI is unable to
    perform a logout if the OIDC session cookie is not present on
    the HTTP request.  The OIDC TAI can detect existing credentials
    using various means, one of which is the OIDC session cookie.
    If the session credentials are being maintained by an access
    token in the Authentication header of the HTTP request instead
    of the OIDC cookie, when an HTTP logout is performed, the user
    will not be logged out.
    

Problem conclusion

  • When the HTTP logout API is invoked, the OIDC TAI is only
    inspecting the OIDC session cookie to find the data to remove
    from the OIDC session cache.  If the OIDC session cookie is
    not present on the HTTP request which is performing the
    logout, the user will not be logged out.
    
    The OIDC TAI is updated so that it can logout using either the
    OIDC session cookie, the access token in the Authentication
    header of the HTTP request, or both.
    
    * By default, the TAI will remove credentials from the OIDC
    session cache using the OIDC session cookie.
    
    * If the OIDC session cookie does not exist, credentials will
    be removed from the OIDC session cache using the access token
    in the Authentication token in the header of the HTTP request,
    if it exists.
    
    * If you set the alwaysInvalidateAccessTokenOnLogout OIDC TAI
    custom property to true, the OIDC TAI will remove data from
    the OIDC session cache using data from both the OIDC session
    cookie and the access token in the Authentication header of
    the HTTP request.
    
    If there is an OIDC session cookie on the request, the user
    will be accessing the protected resource using the
    credentials based on the initial login to the OP.  Usually, if
    there is an access token on the HTTP header, it will be same
    as the one associated with the cookie.  However, if, for some
    reason, the access token in the HTTP header is not the same as
    the one associated with the OIDC session cookie, it is
    possible to do a logout with the cookie then still have
    access to the resource based on the access token in the HTTP
    header.  This may or may not be intended.  The purpose of the
    alwaysInvalidateAccessTokenOnLogout is to allow the
    administrator decide the desired logout scheme.
    
    The following OIDC TAI custom property is added:
    
    ==============
    alwaysInvalidateAccessTokenOnLogout
    values: true/false (default)
    description:
    By default, when a logout is performed, if an OIDC session
    cookie is present on a request, the logout is performed using
    only the information associated with the OIDC session cookie.
    If there is no OIDC session cookie, then the logout is
    performed using the access token in the Authorization header
    of the request.
    
    If this property is set to true, the logout will be performed
    using information from both the OIDC session cookie and the
    Authorization header of the request, if they exist.
    ==============
    
    The TAI does not make a request to the OP to revoke the
    token.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.15, 8.5.5.13 and 9.0.0.6.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI87354

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-09-14

  • Closed date

    2017-09-18

  • Last modified date

    2017-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCVS22","label":"General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
18 September 2017