PI55697: OpenID Connect Relying Party : No entry in cache for stateid

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

[1/4/16 14:05:21:107 CET] 00000057 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: TheOpenID Connect replying party (RP) encountered a failure during the login. The exception is [No entry in cache for stateid: [6r0sco232ft5cstviumgm6i8fe]. Check the logs for details that lead to this exception.

PROBLEM SUMMARY

USERS AFFECTED:
Administrators of IBM WebSphere Application Server and OpenID Connect

PROBLEM DESCRIPTION:
The current implementation of the OpenID Connect Relying Party Trust Association Interceptor (TAI) in the full profile only supports the configuration of a single provider. If a user needs to configure the TAI to interact with multiple providers, they cannot do it.

RECOMMENDATION:
Install a fix pack that contains this APAR.

PROBLEM CONCLUSION:
When a request is made to a resource producted by the OpenID Connect Relying Party TAI, a login is initiated to the OpenID Connect Provider (OP). After login, the OP sends a response back to the TAI. Before login, the TAI saves state information about the login request in a cache using the 6r0sco232ft5cstviumgm6i8fe as the key. When the response is received from the OP, the TAI retrieves the request information from the cache. In a cluster environment, when the OP responds, the individual cluster member that receives the response is indeterminate. If the cluster member that retrieved the response is not the member that cached the login request, the CWTAI2007E error will occur.

This issue can normally be resolved by using session affinity. However, if you are using some front-end application to load balance the cluster member resources, using session affinity won't work.

The OpenID Connect TAI is updated in the following ways:

1. The dynacache put is set to PUSH
2. The session data that is stored in the cache is added to the request sent to the OP so that any cluster member that receives the response from the OP has access to it. This means that if a server that receives the response cannot find the key in the cache, it can find the information it needs from the response.

Keywords: IBMWL3WSS, OIDC, INTERIMFIX

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.