IBM Support

PI96012: CLIENT AUTHENTICATION JWTS REQUIRE "SUB" CLAIM

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • ERROR DESCRIPTION:Ø
    The Liberty openIdConnectClient requires that JWTs used for
    Client Authentication have a "sub" claim
    

Local fix

  • Use a JWT which has a "sub" claim
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - JWT authentication         *
    ****************************************************************
    * PROBLEM DESCRIPTION: JWT authentication requires sub claim   *
    *                      when it should not                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The OpenID Connect specification requires a sub claim be present
    in a JWT when it is used as an ID Token.  However, when a JWT is
    used in the JWT authentication path and not one of the standard
    OpenID Connect paths, the sub claim should not be required.
    When a JWT that does not contain a sub claim is used with JWT
    Authentication, a message like the following can be observed in
    the log:
    
    CWWKS1737E: The OpenID Connect client [client01] failed to
    validate the JSON Web Token. The cause of the error was: [No
    Subject]
    

Problem conclusion

  • The JSON Web Token authentication path for the OpenID Connect
    client feature is modified to not require a sub claim in the
    JWT.
    
    Although a JWT used with JWT authentication does not require a
    client called 'sub', a claim must exist in the token from which
    to obtain the identity for the Subject that will be created.
    The userIdentityToCreateSubject openidConnectClient
    configuration attribute defines the claim to use for the
    identity.  The value for this attribute defaults to 'sub'.  If
    the JWT does not contain a sub claim, the
    userIdentityToCreateSubject configuration attribute must be set
    a name of a claim that exists in the JWT that contains the
    identity.  For example: subject or username.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 18.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI96012

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-30

  • Closed date

    2018-06-12

  • Last modified date

    2018-06-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels



Document information

More support for: WebSphere Application Server

Software version: CD0

Reference #: PI96012

Modified date: 12 June 2018


Translate this page: