Fixes are available
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
APAR status
Closed as program error.
Error description
Some messages numbers in the Liberty OpenID Client (OIDC) feature are duplicated in Liberty fixpack 18.0.0.4. The affected messages are: The original messages in the OpenID Connect client are: CWWKS1754E: Validation failed for the ID token requested by [{1}] because the (aud) audience [{0}] specified in the token does not match the clientId [{1}] specified in the OpenID Connect client configuration. CWWKS1755E: Validation failed for the ID token requested by [{1}] because the (azp) authorized party [{0}] specified in the token does not match the clientId [{1}] specified in the OpenID Connect client configuration. CWWKS1756E: Validation failed for the ID token requested by [{0}] using the [{2}] algorithm due to a signature verification failure: [{1}]. CWWKS1757E: Validation failed for the ID token requested by [{0}] using the [{2}] algorithm due to a signature verification failure: [{1}]. CWWKS1758E: Validation failed for the ID token requested by the [{0}] due to [{1}]. This might have been caused by either the current time [{2}] being after the token expiration time [{3}] or the issue time [{4}] being too far away from the current time [{2}]. CWWKS1759E: Validation failed for the ID token requested by the [{0}] due to hash mismatch of access token [{1}] and the at_hash claim [{2}] in the ID token. The duplicates added in the OIDC discovery feature are: CWWKS1754E: The OpenID Connect client [{0}] failed to obtain Open ID Connect Provider endpoint information through the discovery endpoint URL [{1}]. Update the configuration for the OpenID Connect client with the correct HTTPS discovery endpoint URL. CWWKS1755E: A successful response was not returned from the URL [{0}]. This is the [{1}] response status and the [{2}] error from the discovery request. CWWKS1756I: The OpenID Connect client [{0}] configuration has been established with the information from the discovery endpoint URL [{1}]. This information enables the client to interact with the OpenID Connect provider to process the requests such as authorization and token. CWWKS1757I: The OpenID Connect client [{0}] configuration has been updated with the new information received from the discovery endpoint URL [{1}]. CWWKS1758I: The OpenID Connect client [{0}] configuration is consistent with the information from the discovery endpoint URL [{1}], so no configuration updates are needed. CWWKS1759E: The required [{0}] configuration attribute is missing or empty and a default value is not provided. Verify that the attribute is configured or discovered from the provider, that it is not empty, and that it does not consist of only white space characters. Any user application that may be checking for the original message numbers will not encounter any of the erroneous duplicates since the new messages are only emitted by the OIDC discovery feature.  
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Liberty - OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: Liberty OIDC message numbers CWWKS1754 * * through CWWKS1759 are duplicated * **************************************************************** * RECOMMENDATION: * **************************************************************** Some messages numbers in the Liberty OpenID Client (OIDC) feature are duplicated in Liberty fixpack 18.0.0.4. The affected messages are: The original messages in the OpenID Connect client are: CWWKS1754E: Validation failed for the ID token requested by [{1}] because the (aud) audience [{0}] specified in the token does not match the clientId [{1}] specified in the OpenID Connect client configuration. CWWKS1755E: Validation failed for the ID token requested by [{1}] because the (azp) authorized party [{0}] specified in the token does not match the clientId [{1}] specified in the OpenID Connect client configuration. CWWKS1756E: Validation failed for the ID token requested by [{0}] using the [{2}] algorithm due to a signature verification failure: [{1}]. CWWKS1757E: Validation failed for the ID token requested by [{0}] using the [{2}] algorithm due to a signature verification failure: [{1}]. CWWKS1758E: Validation failed for the ID token requested by the [{0}] due to [{1}]. This might have been caused by either the current time [{2}] being after the token expiration time [{3}] or the issue time [{4}] being too far away from the current time [{2}]. CWWKS1759E: Validation failed for the ID token requested by the [{0}] due to hash mismatch of access token [{1}] and the at_hash claim [{2}] in the ID token. The duplicates added in the OIDC discovery feature are: CWWKS1754E: The OpenID Connect client [{0}] failed to obtain Open ID Connect Provider endpoint information through the discovery endpoint URL [{1}]. Update the configuration for the OpenID Connect client with the correct HTTPS discovery endpoint URL. CWWKS1755E: A successful response was not returned from the URL [{0}]. This is the [{1}] response status and the [{2}] error from the discovery request. CWWKS1756I: The OpenID Connect client [{0}] configuration has been established with the information from the discovery endpoint URL [{1}]. This information enables the client to interact with the OpenID Connect provider to process the requests such as authorization and token. CWWKS1757I: The OpenID Connect client [{0}] configuration has been updated with the new information received from the discovery endpoint URL [{1}]. CWWKS1758I: The OpenID Connect client [{0}] configuration is consistent with the information from the discovery endpoint URL [{1}], so no configuration updates are needed. CWWKS1759E: The required [{0}] configuration attribute is missing or empty and a default value is not provided. Verify that the attribute is configured or discovered from the provider, that it is not empty, and that it does not consist of only white space characters. Any user application that may be checking for the original message numbers will not encounter any of the erroneous duplicates since the new messages are only emitted by the OIDC discovery feature.
Problem conclusion
The duplicate message numbers are re-numbered so that there are no conflicting message numbers: CWWKS1521E: The OpenID Connect client [{0}] failed to obtain Open ID Connect Provider endpoint information through the discovery endpoint URL [{1}]. Update the configuration for the OpenID Connect client with the correct HTTPS discovery endpoint URL. CWWKS1525E: A successful response was not returned from the URL [{0}]. This is the [{1}] response status and the [{2}] error from the discovery request. CWWKS1526I: The OpenID Connect client [{0}] configuration has been established with the information from the discovery endpoint URL [{1}]. This information enables the client to interact with the OpenID Connect provider to process the requests such as authorization and token. CWWKS1527I: The OpenID Connect client [{0}] configuration has been updated with the new information received from the discovery endpoint URL [{1}]. CWWKS1528I: The OpenID Connect client [{0}] configuration is consistent with the information from the discovery endpoint URL [{1}], so no configuration updates are needed. CWWKS1529E: The required [{0}] configuration attribute is missing or empty and a default value is not provided. Verify that the attribute is configured or discovered from the provider, that it is not empty, and that it does not consist of only white space characters. The fix for this APAR is currently targeted for inclusion in fix pack 19.0.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH09706
Reported component name
LIBERTY PROFILE
Reported component ID
5724J0814
Reported release
CD0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-03-13
Closed date
2019-03-21
Last modified date
2019-03-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
LIBERTY PROFILE
Fixed component ID
5724J0814
Applicable component levels
RCD0 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
17 October 2021