APAR status
Closed as program error.
Error description
In a high-stress environment where there are a high volume of requests, the OIDC TAI might reject a low volume of requests randomly. The following can be observed in the logs: CWTAI2013E: The OpenID Connect relying party (RP) failed to authenticate the user using access token [0001QTmQJln21h70tTUlNoqpWyp0] because [Some of the attributes needed to create the subject are missing: [AccessToken: [null] ].]. The requests that are rejected are exclusively in the introspection path and tend to occur when access tokens are expiring and are getting refreshed.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and the OIDC TAI * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI might reject introspection * * requests after access tokens are * * refreshed. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OIDC TAI might reject a low volume of requests randomly in the introspection path when access tokens are getting refreshed.
Problem conclusion
There is a synchronization error in the introspection path of the OIDC TAI, specifically when an access token is refreshed. This ends up causing corruption of the SessionData object. The synchronization of the OIDC TAI's introspection path is updated to make sure that only one thread attempts an access token refresh and other interested threads wait for completion. When complete, all unblocked threads check for expiration again, then proceed to use the updated SessionData object with the new access token. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.13. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH45297
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-03-30
Closed date
2022-06-17
Last modified date
2022-06-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
Document Information
Modified date:
18 June 2022