IBM Support

PI63058: Add timeout to OAuth cache


You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • The WebSphere Knowledge Center article titled "Registering
    OAuth clients" states:
    "After creating the client storing files and tables, you can
    directly add, delete, or modify a client.  You can also use
    WebSphere Application Server MBean or programming APIs to
    manage clients."
    But there are apparently significant caveats that are not
    stated if you directly update clients in the database.  For
    example, if you disable a client (set enabled=0), the client
    will remain valid until the cache entry is removed, which may
    not happen without a server restart.
    Sometimes it is difficult (and very inconvenient) to use the
    WebSphere MBean to update the OAuth clients.  We want to be
    able to update the database entities directly.
    It would be very helpful to be able to configure the cache
    entries to have a maximum lifetime (e.g.  one hour) after
    which they would automatically be refreshed from the database,
    or configure the cache to periodically clear itself, or
    disable the cache entirely.

Local fix

  • N/A

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OAuth                                       *
    * PROBLEM DESCRIPTION: Clients that have been disabled in      *
    *                      the database after load time can be     *
    *                      returned as valid clients from the      *
    *                      OAuth cache.                            *
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    There are conditions where clients in the OAuth cache may
    become stale and should not be used.  A mechanism should be
    set up so that stale clients are less likely to be used.

Problem conclusion

  • The OAuth TAI is updated to add a custom property called
    oauth20.client.cache.seconds.  The value for this property is
    the number of seconds that a client can be in the cache after
    it is loaded from the database.
    If oauth20.client.cache.seconds is set to 0,  the OAuth TAI
    will not cache any clients.
    By default, there is no change in behavior.  To get the new
    behavior, add the following to your OAuth provider
    <parameter name="oauth20.client.cache.seconds"
    type="cc"  customizable="true">
    The fix for this APAR is currently targeted for inclusion in
    fix packs,, and  Please
    refer to the Recommended Updates page for delivery information:

Temporary fix


APAR Information

  • APAR number


  • Reported component name


  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name


  • Fixed component ID


Applicable component levels

  • R700 PSY


  • R800 PSY


  • R850 PSY


  • R900 PSY


Document information

More support for: WebSphere Application Server

Software version: 850

Reference #: PI63058

Modified date: 31 January 2017