IBM Support

PI63058: Add timeout to OAuth cache

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • The WebSphere Knowledge Center article titled "Registering
    OAuth clients" states:
    "After creating the client storing files and tables, you can
    directly add, delete, or modify a client.  You can also use
    WebSphere Application Server MBean or programming APIs to
    manage clients."
    
    
    But there are apparently significant caveats that are not
    stated if you directly update clients in the database.  For
    example, if you disable a client (set enabled=0), the client
    will remain valid until the cache entry is removed, which may
    not happen without a server restart.
    
    
    Sometimes it is difficult (and very inconvenient) to use the
    WebSphere MBean to update the OAuth clients.  We want to be
    able to update the database entities directly.
    
    
    It would be very helpful to be able to configure the cache
    entries to have a maximum lifetime (e.g.  one hour) after
    which they would automatically be refreshed from the database,
    or configure the cache to periodically clear itself, or
    disable the cache entirely.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OAuth                                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: Clients that have been disabled in      *
    *                      the database after load time can be     *
    *                      returned as valid clients from the      *
    *                      OAuth cache.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    There are conditions where clients in the OAuth cache may
    become stale and should not be used.  A mechanism should be
    set up so that stale clients are less likely to be used.
    

Problem conclusion

  • The OAuth TAI is updated to add a custom property called
    oauth20.client.cache.seconds.  The value for this property is
    the number of seconds that a client can be in the cache after
    it is loaded from the database.
    
    If oauth20.client.cache.seconds is set to 0,  the OAuth TAI
    will not cache any clients.
    
    By default, there is no change in behavior.  To get the new
    behavior, add the following to your OAuth provider
    configuration:
    
    <parameter name="oauth20.client.cache.seconds"
    type="cc"  customizable="true">
        <value>600</value>
    </parameter>
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.43, 8.0.0.14, 8.5.5.12 and 9.0.0.4.  Please
    refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI63058

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-05-25

  • Closed date

    2017-01-31

  • Last modified date

    2017-01-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI63058

Modified date: 31 January 2017