IBM Support

PH40532: OIDC TAI MIGHT NOT REMOVE OAUTH ACCESS TOKEN CACHE ENTRIES

A fix is available

PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect (OIDC) Trust Association Interceptor (TAI)
can fill up the SessionData cache OAuth access token entries.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
*                  and the OIDC                                *
****************************************************************
* PROBLEM DESCRIPTION: The OIDC TAI does not remove OAuth      *
*                      access                                  *
*                      token tries from the SessionData        *
*                      cache.                                  *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains                                    *
*                  this APAR.                                  *
****************************************************************
The OIDC TAI stores information about access tokens that are
obtained using the
com.ibm.websphere.security.oidc.util.OauthClientHelper API in
the
SessionData cache.  These OAuth access tokens can fill up the
cache.

    



Problem conclusion


    

  • When an access token is obtained with the API, a lifetime is not
set on the SessionData object. Therefore, the SessionData object
does not time out.

The OIDC runtime is updated to set the lifetime of a SessionData
object when an access token is obtained with an API.  The lifeti
will either be the lifetime of the access token, or the value th
is hardcoded in the OIDC TAI configuration by the administrator.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.21 and 9.0.5.11. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH40532
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-09-10
    • 

  • Closed date
    2021-11-17
    • 

  • Last modified date
    2021-11-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            06 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback