Download
Abstract
A 403 Error may occur when using the OpenID Connect Relying Party
Download Description
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
PI64573 resolves the following problem:
ERROR DESCRIPTION:
A 403 error may occur when the OpenID Connect Relying Party is a partner with an OpenID Connect provider that URL encodes the state parameter.
PROBLEM SUMMARY
USERS AFFECTED:
All IBM WebSphere Application Server users of OpenID Connect Relying Party
PROBLEM DESCRIPTION:
A 403 Error may occur when using the OIDC RP
RECOMMENDATION:
Install a fix pack or interim fix that contains this APAR.
A 403 error may occur when the OpenID Connect Relying Party is a partner with an OpenID Connect provider that URL encodes the state parameter.
PROBLEM CONCLUSION:
The OpenID Connect specification states that the state parameter must be returned to the client without modification. Because of the way that the WebSphere OpenID Connect Relying Party (RP) is constructing the state parameter, if the OpenID Connect provider (OP) sanitizes the state parameter by URL encoding it, the state parameter will appear to be modified and a 403 error will result.
The OpenID Connect RP is modified to ensure that the state parameter is created in a way that URL encoding it will not change its contents.
The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.13, 8.5.5.11 and 9.0.0.1. PI64924 is the only APAR in this set that is not included in 9.0.0.1; it is targeted for 9.0.0.2. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Keywords: IBMWL3WSS, OIDC, INTERIMFIX
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24042451