Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
PH13175: OIDC RP tokens are not revoked when sessions are evicted from the cache.
Download Description
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
ERROR DESCRIPTION:
In the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), if a revoke endpoint URL is configured, when a user logs out, the tokens that are associated with the session are revoked.
However, if the session is evicted from the cache for any reason, such as the session expired or the cache is full, the tokens will not be revoked. This behavior can cause problems for some administrators.
The OIDC TAI is updated so that it can revoke tokens when a session is evicted from the cache.
The following property is added to the OIDC RP TAI custom properties:
Property | Values | Description |
provider_<id>.revokeTokensOnCacheEviction | true, false (default) | When this property is set to true and the provider_<id>.revokeEndpointUrl property is set to a value, when a session is evicted from the cache for any reason, the tokens in the session will be revoked. |
The fix for this APAR is targeted for inclusion in fix pack 8.5.5.16 and 9.0.5.1. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Problems Solved
Technical Support
Document Location
Worldwide
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
05 August 2020
UID
ibm10888181