IBM Support

PI93579: 'EXP' IS EARLIER THAN THE 'IAT' IN OIDC TOKEN

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • When the OpenID Connect Provider idTokenLifetime is set to
    2160000 seconds or more, the idToken 'exp' value will be
    less
    than the 'iat' value.
    

Local fix

  • Set the OpenID Connect Provider idTokenLifetime setting to no
    more than 20 days (1728000 seconds).
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - OpenID Connect             *
    ****************************************************************
    * PROBLEM DESCRIPTION: OpenID Connect Provider may set the     *
    *                      idToken exp to a value greater than its *
    *                      iat                                     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    In the Liberty OpenID Connect Provider feature, if the
    idTokenLifetime setting is in the range of 25 days (600 minutes,
    or 2160000 seconds) or more, the idToken's expiration (exp)
    value is set to less than the issued at (iat) value.  The exp
    value should always be greater than the iat value.
    
    When you trace the OP, you'll see something similar to:
    [2/8/18 15:44:56:108 EST] 00000034 JwtCreator    3
    intermediate:
    audiences claims
    oidcclient
                                     JWT Claims Set:{sub=Jackson,
    at_hash=NNi1FZCXJEteNCtuFHrCOA, realmName=BasicRegistry,
    uniqueSecurityName=Jackson,
    iss=https://localhost:9443/oidc/endpoint/OP,
    aud=oidcclient, exp=1516419728, iat=1518122696}
    

Problem conclusion

  • The OpenID Connect Provider feature is updated to always set the
    idToken expiration (exp) to a value that is greater than that of
    the date and time it was issued (iat).
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 18.0.0.1.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI93579

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-02-09

  • Closed date

    2018-02-12

  • Last modified date

    2018-02-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels



Document information

More support for: WebSphere Application Server

Software version: CD0

Reference #: PI93579

Modified date: 12 February 2018


Translate this page: