PI87354: OPENID CONNECT (OIDC) RELYING PARTY (RP) DOES NOT LOGOUT USER IF OIDC SESSION COOKIE IS NOT PRESENT

Fixes are available

APAR status

Closed as program error.

Error description

When logging out from the OIDC RP, the user can only be logged
out from the device which initiates the login and has an OIDC
session cookie.

If the user has access to a resource by the OIDC TAI by virtue
of an access token in the Authorization header in the HTTP
request, if the user logs out, the OIDC TAI will not perform
its logout.

Local fix

```
N/A
```

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server of the     *
*                  OpenId Connect Relying Party                *
****************************************************************
* PROBLEM DESCRIPTION: The OIDC RP is unable to perform a      *
*                      logout if the OIDC session cookie is    *
*                      not present                             *
****************************************************************
* RECOMMENDATION:                                              *
*                  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
The OpenID Connect (OIDC) Relying Party (RP) TAI is unable to
perform a logout if the OIDC session cookie is not present on
the HTTP request.  The OIDC TAI can detect existing credentials
using various means, one of which is the OIDC session cookie.
If the session credentials are being maintained by an access
token in the Authentication header of the HTTP request instead
of the OIDC cookie, when an HTTP logout is performed, the user
will not be logged out.

Problem conclusion

When the HTTP logout API is invoked, the OIDC TAI is only
inspecting the OIDC session cookie to find the data to remove
from the OIDC session cache.  If the OIDC session cookie is
not present on the HTTP request which is performing the
logout, the user will not be logged out.

The OIDC TAI is updated so that it can logout using either the
OIDC session cookie, the access token in the Authentication
header of the HTTP request, or both.

* By default, the TAI will remove credentials from the OIDC
session cache using the OIDC session cookie.

* If the OIDC session cookie does not exist, credentials will
be removed from the OIDC session cache using the access token
in the Authentication token in the header of the HTTP request,
if it exists.

* If you set the alwaysInvalidateAccessTokenOnLogout OIDC TAI
custom property to true, the OIDC TAI will remove data from
the OIDC session cache using data from both the OIDC session
cookie and the access token in the Authentication header of
the HTTP request.

If there is an OIDC session cookie on the request, the user
will be accessing the protected resource using the
credentials based on the initial login to the OP.  Usually, if
there is an access token on the HTTP header, it will be same
as the one associated with the cookie.  However, if, for some
reason, the access token in the HTTP header is not the same as
the one associated with the OIDC session cookie, it is
possible to do a logout with the cookie then still have
access to the resource based on the access token in the HTTP
header.  This may or may not be intended.  The purpose of the
alwaysInvalidateAccessTokenOnLogout is to allow the
administrator decide the desired logout scheme.

The following OIDC TAI custom property is added:

==============
alwaysInvalidateAccessTokenOnLogout
values: true/false (default)
description:
By default, when a logout is performed, if an OIDC session
cookie is present on a request, the logout is performed using
only the information associated with the OIDC session cookie.
If there is no OIDC session cookie, then the logout is
performed using the access token in the Authorization header
of the request.

If this property is set to true, the logout will be performed
using information from both the OIDC session cookie and the
Authorization header of the request, if they exist.
==============

The TAI does not make a request to the OP to revoke the
token.

The fix for this APAR is currently targeted for inclusion in
fix pack 8.0.0.15, 8.5.5.13 and 9.0.0.6.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI87354
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-09-14
Closed date
2017-09-18
Last modified date
2017-09-18

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R800 PSY
UP
R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022

Tips

PI87354: OPENID CONNECT (OIDC) RELYING PARTY (RP) DOES NOT LOGOUT USER IF OIDC SESSION COOKIE IS NOT PRESENT

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R800 PSY

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?