LI82621: OVERRIDE_PROVIDER_TTL OPTION FOR OIDC USER REGISTRY DOES NOT WORK

APAR status

Closed as program error.

Error description

override_provider_ttl option for OIDC user registry does not
seem to work.

User have tested couple of scenarios:

- Create OIDC user registry with override_provider_ttl false and
configured it in Cloud Manager. User invited a new user to Admin
org and assigned a role. I have validated that access token TTL
was set to 1 hour (inherited from identity provider). User have
changed override_provider_ttl to true. User have logged out and
logged back in to get a new token. I still got TTL of 1 hour on
access token, instead of expected 8 hours (APIC default). User
changed the Access Token TTL in Onboarding settings to 4 hours.
Logged out and logged back in again - again got 1 hour TTL on
access token instead of expected 4. Restarted APIM pod. Logged
out and logged in - still got 1 hour TTL on access token.



- user have created OIDC UR using override_provider_ttl to true
from the start. After onboarding a new member user received a
token with 1 hour TTL instead expected 4 hours.

The expectation here is that override_provider_ttl option when
enabled will override TTL of access token that is received from
IDP will be re-written to what is set up in Onboarding settings
in Cloud Manager, instead of honoring IDP settings. This should
be valid for both Cloud Manager and API Manager login.

Local fix

Problem summary

<div><span style="font-family:arial,helvetica,sans-serif"><span
style="font-size:12px"><span style="background-color:rgb(255,
255, 255)">OVERRIDE_PROVIDER_TTL (</span>Use IBM APIC token
expiration setting from the cloud) property change doesn't take
into effect when user modifies this property in <span
style="background-color:rgb(255, 255, 255)">OIDC User Registry
in API Manager and Cloud Manager.</span></span></span></div>

Problem conclusion

<span style="font-family:arial,helvetica,sans-serif"><span
style="font-size:12px"><span style="background-color:rgb(255,
255, 255);color:rgb(36, 41, 46)">The fix is targeted for
inclusion in IBM API Connect v10.0.1.7 and v10.0.5
</span></span></span>

Temporary fix

Comments

APAR Information

APAR number
LI82621
Reported component name
API CONNECT ENT
Reported component ID
5725Z2201
Reported release
A0X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-05-13
Closed date
2022-07-15
Last modified date
2022-09-08

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
API CONNECT ENT
Fixed component ID
5725Z2201

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A0X","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
08 September 2022

Tips

LI82621: OVERRIDE_PROVIDER_TTL OPTION FOR OIDC USER REGISTRY DOES NOT WORK

Subscribe to this APAR

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?