IBM Support

PI64573: OIDC: A 403 error may occur if OP URL encodes the state parameter

Download


Abstract

A 403 Error may occur when using the OpenID Connect Relying Party

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


PI64573 resolves the following problem:

ERROR DESCRIPTION:
A 403 error may occur when the OpenID Connect Relying Party is a partner with an OpenID Connect provider that URL encodes the state parameter.

PROBLEM SUMMARY

USERS AFFECTED:
All IBM WebSphere Application Server users of OpenID Connect Relying Party

PROBLEM DESCRIPTION:
A 403 Error may occur when using the OIDC RP

RECOMMENDATION:
Install a fix pack or interim fix that contains this APAR.

A 403 error may occur when the OpenID Connect Relying Party is a partner with an OpenID Connect provider that URL encodes the state parameter.

PROBLEM CONCLUSION:
The OpenID Connect specification states that the state parameter must be returned to the client without modification. Because of the way that the WebSphere OpenID Connect Relying Party (RP) is constructing the state parameter, if the OpenID Connect provider (OP) sanitizes the state parameter by URL encoding it, the state parameter will appear to be modified and a 403 error will result.

The OpenID Connect RP is modified to ensure that the state parameter is created in a way that URL encoding it will not change its contents.


The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.13, 8.5.5.11 and 9.0.0.1. PI64924 is the only APAR in this set that is not included in 9.0.0.1; it is targeted for 9.0.0.2. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC, INTERIMFIX


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


Installation Instructions

Please review the readme.txt for detailed installation instructions.

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0.0.10;8.0.0.11;8.0.0.12;8.5.5.3;8.5.5.4;8.5.5.5;8.5.5.6;8.5.5.7;8.5.5.8;8.5.5.9","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24042451