Fixes are available
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
Using the WebSphere OIDC RP TAI, we want to establish trust using the access token in the HTTP header. The token is sent to the OpenId Provider (OP) introspection endpoint and successfully verified by the OP, but authentication fails because the OIDC TAI expects an "iat" claim in the JSON response from introspection endpoint. According to the OIDC spec, the iat claim is optional for the introspection response.
Local fix
Creating iFix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server of the * * OpenId Connect Relying Party * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP is requiring optional * * claims in the access token in an * * introspection response * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenId Connect (OIDC) Relying Party (RP) TAI is requiring optional claims in the access token in an introspection response. The required claims that should be optional are: exp, iat, scope, iss, and uniqueSecurityName.
Problem conclusion
The OIDC TAI is updated to not require optional claims. However, there are situations where an optional claim may be required. The following OIDC TAI custom properties are added: provider_<id>.defaultRealmName This property does not have a default value. The realm name to use if one is not obtained from the token. provider_<id>.verifyIssuerInIat true/false (default) Set this property to true if you want to validate the issuer (iss) in an introspection access token against the value for the provider_<id>.issuerIdentifier property in the OIDC configuration. If provider_<id>.mapIdentityToRegistryUser=false, a realm name must be available. If provider_<id>.defaultRealmName has not been set, the claim associated with the realmIdentifier (default=iss) will be required. A user name must be resolved. The claim associated with provider_<id>.uniqueUserIdentifier (default=sub) or sub must exist. For instance, if you set uniqueUserIdentifier=abc, then you must have have the claim abc or sub. If uniqueUserIdentifier evaulates to sub, then sub must exist. If the exp claim is not in the introspected access token, the expiration will be set to 60 minutes. If the iat claim is not in the introspected access token, the iat will default to current time. The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.15, 9.0.0.6 and 8.5.5.13. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI86752
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-09-01
Closed date
2017-09-18
Last modified date
2017-09-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022