Download
Abstract
The OIDC Relying Party TAI may store incorrect data in DynaCache.
Download Description
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
PI80317 resolves the following problem:
ERROR DESCRIPTION:
When the OIDC RP is configured to use DynaCache, it is possible for incorrect data to be stored and replicated.
PROBLEM SUMMARY:
The OpenID Connect TAI can cache incorrect data in DynaCache.
PROBLEM CONCLUSION:
The OpenID Connect Relying Party TAI creates a session cache entry using a default timeout before requesting tokens from the OP. After receiving the tokens from the OP, it will update the cache entry with the new timeouts, add the tokens and add an alias. If the DynaCache replicates between when the session cache entry is created and the entry is updated, unexpected behavior can occur.
The OIDC TAI is updated to not create the session cache entry until after the tokens are received from the OP.
The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.14, 8.5.5.12 and 9.0.0.5. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Keywords: IBMWL3WSS, OIDC
ERROR DESCRIPTION:
When the OIDC RP is configured to use DynaCache, it is possible for incorrect data to be stored and replicated.
PROBLEM SUMMARY:
The OpenID Connect TAI can cache incorrect data in DynaCache.
PROBLEM CONCLUSION:
The OpenID Connect Relying Party TAI creates a session cache entry using a default timeout before requesting tokens from the OP. After receiving the tokens from the OP, it will update the cache entry with the new timeouts, add the tokens and add an alias. If the DynaCache replicates between when the session cache entry is created and the entry is updated, unexpected behavior can occur.
The OIDC TAI is updated to not create the session cache entry until after the tokens are received from the OP.
The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.14, 8.5.5.12 and 9.0.0.5. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Keywords: IBMWL3WSS, OIDC
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Off
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"}],"Version":"9.0;8.5.5;8.0","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
10 July 2019
UID
swg24043665