Fix (APAR): PH13175 Status: Fix Release: 9.0.5.0,9.0.0.11,9.0.0.10,9.0.0.9,9.0.0.8,9.0.0.7,9.0.0.6,9.0.0.5,9.0.0.4,9.0.0.3,9.0.0.2,9.0.0.1,9.0.0.0 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PI59831 PI63906 PI64573 PI64924 PI65751 PI73318 PI74857 PI75095 PI78336 PI80543 PI80549 PI80317 PI82308 PI84244 PI86752 PI87354 PI88253 PI88896 PI90373 PI92210 PI92332 PI94538 PI96508 PH00569 PH02192 PH03525 PH07297 PH08804 PH10503 PH10892 PH11107 PH11684 PH12520 CMVC Defect: xxxxxx Byte size of APAR: 3887178 Date: 2019-07-10 Abstract: tokens are not revoked when sessions are evicted from the cache Description/symptom of problem: PH13175 resolves the following problem: ERROR DESCRIPTION: When using the OpenId Connect (OIDC) Relying Party Trust Association Interceptor (TAI) on WebSphere Application Server, it is possible that the refresh and access tokens for a logged-in user do not get revoked when the user's session is evicted from the cache. LOCAL FIX: N/A PROBLEM SUMMARY: USERS AFFECTED: IBM WebSphere Application Server users of OpenID Connect PROBLEM DESCRIPTION: The OIDC TAI does not revoke the tokens associated with a session when it is evicted from the cache. RECOMMENDATION: Install a fix pack or interim fix that contains this APAR. In the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), if a revoke endpoint url is configured, when a user logs out, the tokens associated with the session are revoked. However, if the session is evicted from the cache for any reason, such as the session expired or the cache is full, the tokens will not be revoked. This behavior may cause problems for some administrators. PROBLEM CONCLUSION: The OIDC TAI is updated so that it can revoke tokens when a session is evicted from the cache. A new OIDC TAI custom property is added: provider_.revokeTokensOnCacheEviction The valid values are true and false (default). When the provider_.revokeTokensOnCacheEviction property is set to true and the provider_.revokeEndpointUrl property is set to a value, when the session data is evicted from the cache for any reason, the tokens in the session data will be revoked. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.16 and 9.0.5.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: