IBM Support

PI47460: Add multi-provider support to OpenID Connect Relying Party in the full profile

Download


Abstract

The OpenID Connect Relying Party (RP) TAI does not support multiple providers.

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.



PI47460 resolves the following problem:

ERROR DESCRIPTION:
The WebSphere Application Server full profile OpenID Connect RP will not work with multiple OpenID Connect providers. The Trust Association Interceptor (TAI) configuration of the RP will only allow one provider to be configured.

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server users of OpenID Connect Relying Party

PROBLEM DESCRIPTION:
The OpenID Connect Relying Party (RP) TAI does not support multiple providers.

RECOMMENDATION:
Install a fix pack that contains this APAR.

The current implementation of the OpenID Connect Relying Party Trust Association Interceptor (TAI) in the full profile only supports the configuration of a single provider. If a user needs to configure the TAI to interact with multiple providers, they cannot do it.

PROBLEM CONCLUSION:
The OpenID Connect Relying Party TAI is updated to add multi-provider support.

You can configure each provider by embedding a provider_<id> in the TAI property name. The provider_<id>s are numbered sequentially for each OP. There are some TAI properties that apply to all the providers and these properties are not prefixed with provider_<id>.

For example, you can configure two providers as shown below:

provider_1.identifier=provider1
provider_1.interceptedPathFilter=/testapp1
provider_1.clientId=client01
provider_1.clientSecret=secret_01
provider_1.authorizeEndpointUrl=https://localhost:8020/oidc/endpoint/OP/authorize
provider_1.tokenEndpointUrl=https://localhost:8020/oidc/endpoint/OP/token
provider_1.scope=openid general
provider_2.identifier=provider2
provider_2.interceptedPathFilter=/testapp2
provider_2.clientId=client02
provider_2.clientSecret=secret_02
provider_2.authorizeEndpointUrl=https://accounts.google.com/o/oauth2/auth
provider_2.tokenEndpointUrl=https://www.googleapis.com/oauth2/v3/token
provider_2.scope=openid general email
provider_2.jwkEndpointUrl=https://www.googleapis.com/oauth2/v2/certs
provider_2.issuerIdentifier=accounts.google.com
provider_2.signatureAlgorithm=RS256
provider_2.userIdentifier=email
callbackServletContext=/oidcclient

See the OpenID Connect Relying Party custom properties Knowledge Center topic for more information on all the OpenID Connect RP custom properties available to you.

The fix for this APAR is currently targeted for inclusion in fix packs 8.0.0.12 and 8.5.5.8. Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC, INTERIMFIX


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.7;8.5.5.6;8.5.5.5;8.5.5.4","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24041056