IBM Support

PH13175: OIDC RP tokens are not revoked when sessions are evicted from the cache

Download


Downloadable File

Abstract

PH13175: OIDC RP tokens are not revoked when sessions are evicted from the cache.

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


PH13175 resolves the following problem:

ERROR DESCRIPTION:

In the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), if a revoke endpoint URL is configured, when a user logs out, the tokens that are associated with the session are revoked.

However, if the session is evicted from the cache for any reason, such as the session expired or the cache is full, the tokens will not be revoked.  This behavior can cause problems for some administrators.

PROBLEM CONCLUSION:

The OIDC TAI is updated so that it can revoke tokens when a session is evicted from the cache.

The following property is added to the OIDC RP TAI custom properties:

Property Values Description
provider_<id>.revokeTokensOnCacheEviction true, false (default)

When this property is set to true and the provider_<id>.revokeEndpointUrl property is set to a value, when a session is evicted from the cache for any reason, the tokens in the session will be revoked.  

 

The fix for this APAR is targeted for inclusion in fix pack 8.5.5.16 and 9.0.5.1. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

Problems Solved

PH13175

Off

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support website (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security->SSO->OpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
05 August 2020

UID

ibm10888181