IBM Support

PI47460: ADD MULTI-PROVIDER SUPPORT TO OPENID CONNECT RELYING PARTY IN THE FULL PROFILE.

Fixes are available

PI47460: Add multi-provider support to OpenID Connect Relying Party in the full profile
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
PI55697: OpenID Connect Relying Party : No entry in cache for stateid
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The WebSphere Application Server full profile OpenID Connect
    RP will not work with multiple OpenID Connect providers. The
    Trust Association Interceptor (TAI) configuration of RP will
    only allow one provider to be configured.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect relying party                *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OpenID Connect Relying Party (RP)   *
    *                      TAI does not support multiple           *
    *                      providers.                              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack that contains this       *
    *                  APAR.                                       *
    ****************************************************************
    The current implementation of the OpenID Connect relying party
    Trust Association Interceptor (TAI) in the full profile only
    supports the configuration of a single provider.  If a user
    needs to configure the TAI to interact with multiple
    providers, they cannot do it.
    

Problem conclusion

  • The OpenID Connect relying party TAI is updated to add
    multi-provider support.
    
    You can configure each provider by embedding a provider_<id>
    in the TAI property name. The provider_<id>s are numbered
    sequentially for each OP. There are some TAI properties
    that apply to all the providers and these properties are not
    prefixed with provider_<id>.
    
    For example, you can configure two providers as shown below:
    
    provider_1.identifier=provider1
    provider_1.interceptedPathFilter=/testapp1
    provider_1.clientId=client01
    provider_1.clientSecret=secret_01
    provider_1.authorizeEndpointUrl=https://localhost:8020/oidc/endp
    oint/OP/authorize
    provider_1.tokenEndpointUrl=https://localhost:8020/oidc/endpoint
    /OP/token
    provider_1.scope=openid general
    provider_2.identifier=provider2
    provider_2.interceptedPathFilter=/testapp2
    provider_2.clientId=client02
    provider_2.clientSecret=secret_02
    provider_2.authorizeEndpointUrl=https://accounts.google.com/o/oa
    uth2/auth
    provider_2.tokenEndpointUrl=https://www.googleapis.com/oauth2/v3
    /token
    provider_2.scope=openid general email
    provider_2.jwkEndpointUrl=https://www.googleapis.com/oauth2/v2/c
    erts
    provider_2.issuerIdentifier=accounts.google.com
    provider_2.signatureAlgorithm=RS256
    provider_2.userIdentifier=email
    callbackServletContext=/oidcclient
    
    See
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=p
    hil&product=was-nd-dist&topic=csec_oidprop for more
    information on the OpenID Connect RP custom properties.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 8.0.0.12 and 8.5.5.8.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI47460

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-08-24

  • Closed date

    2015-09-18

  • Last modified date

    2015-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022