IBM Support

PH09706: Liberty OIDC message numbers CWWKS1754 through CWWKS1759 are duplicated

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Some messages numbers in the Liberty OpenID Client (OIDC)
    feature are duplicated in Liberty fixpack 18.0.0.4.  The
    affected messages are:
    
    The original messages in the OpenID Connect client are:
    
    CWWKS1754E: Validation failed for the ID token requested by
    [{1}] because the (aud) audience [{0}] specified in the
    token does not match the clientId [{1}] specified in the
    OpenID Connect client configuration.
    CWWKS1755E: Validation failed for the ID token requested by
    [{1}] because the (azp) authorized party [{0}] specified in
    the token does not match the clientId [{1}] specified in the
    OpenID Connect client configuration.
    CWWKS1756E: Validation failed for the ID token requested by
    [{0}] using the [{2}] algorithm due to a signature
    verification failure: [{1}].
    CWWKS1757E: Validation failed for the ID token requested by
    [{0}] using the [{2}] algorithm due to a signature
    verification failure: [{1}].
    CWWKS1758E: Validation failed for the ID token requested by
    the [{0}] due to [{1}]. This might have been caused by
    either the current time [{2}] being after the token
    expiration time [{3}] or the issue time [{4}] being too far
    away from the current time [{2}].
    CWWKS1759E: Validation failed for the ID token requested by
    the [{0}] due to hash mismatch of access token [{1}] and the
    at_hash claim [{2}] in the ID token.
    
    The duplicates added in the OIDC discovery feature are:
    
    CWWKS1754E: The OpenID Connect client [{0}] failed to obtain
    Open ID Connect Provider endpoint information through the
    discovery endpoint URL [{1}]. Update the configuration for
    the OpenID Connect client with the correct HTTPS discovery
    endpoint URL.
    CWWKS1755E: A successful response was not returned from the
    URL [{0}]. This is the [{1}] response status and the [{2}]
    error from the discovery request.
    CWWKS1756I: The OpenID Connect client [{0}] configuration
    has been established with the information from the discovery
    endpoint URL [{1}]. This information enables the client to
    interact with the OpenID Connect provider to process the
    requests such as authorization and token.
    CWWKS1757I: The OpenID Connect client [{0}] configuration
    has been updated with the new information received from the
    discovery endpoint URL [{1}].
    CWWKS1758I: The OpenID Connect client [{0}] configuration is
    consistent with the information from the discovery endpoint
    URL [{1}], so no configuration updates are needed.
    CWWKS1759E: The required [{0}] configuration attribute is
    missing or empty and a default value is not provided. Verify
    that the attribute is configured or discovered from the
    provider, that it is not empty, and that it does not consist
    of only white space characters.
    
    Any user application that may be checking for the original
    message numbers will not encounter any of the erroneous
    duplicates since the new messages are only emitted by the
    OIDC discovery feature.
     
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - OpenID Connect             *
    ****************************************************************
    * PROBLEM DESCRIPTION: Liberty OIDC message numbers CWWKS1754  *
    *                      through CWWKS1759 are duplicated        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Some messages numbers in the Liberty OpenID Client (OIDC)
    feature are duplicated in Liberty fixpack 18.0.0.4.  The
    affected messages are:
    
    The original messages in the OpenID Connect client are:
    
    CWWKS1754E: Validation failed for the ID token requested by
    [{1}] because the (aud) audience [{0}] specified in the token
    does not match the clientId [{1}] specified in the OpenID
    Connect client configuration.
    CWWKS1755E: Validation failed for the ID token requested by
    [{1}] because the (azp) authorized party [{0}] specified in the
    token does not match the clientId [{1}] specified in the OpenID
    Connect client configuration.
    CWWKS1756E: Validation failed for the ID token requested by
    [{0}] using the [{2}] algorithm due to a signature verification
    failure: [{1}].
    CWWKS1757E: Validation failed for the ID token requested by
    [{0}] using the [{2}] algorithm due to a signature verification
    failure: [{1}].
    CWWKS1758E: Validation failed for the ID token requested by the
    [{0}] due to [{1}].  This might have been caused by either the
    current time [{2}] being after the token expiration time [{3}]
    or the issue time [{4}] being too far away from the current time
    [{2}].
    CWWKS1759E: Validation failed for the ID token requested by the
    [{0}] due to hash mismatch of access token [{1}] and the at_hash
    claim [{2}] in the ID token.
    
    The duplicates added in the OIDC discovery feature are:
    
    CWWKS1754E: The OpenID Connect client [{0}] failed to obtain
    Open ID Connect Provider endpoint information through the
    discovery endpoint URL [{1}].  Update the configuration for the
    OpenID Connect client with the correct HTTPS discovery endpoint
    URL.
    CWWKS1755E: A successful response was not returned from the URL
    [{0}].  This is the [{1}] response status and the [{2}] error
    from the discovery request.
    CWWKS1756I: The OpenID Connect client [{0}] configuration has
    been established with the information from the discovery
    endpoint URL [{1}].  This information enables the client to
    interact with the OpenID Connect provider to process the
    requests such as authorization and token.
    CWWKS1757I: The OpenID Connect client [{0}] configuration has
    been updated with the new information received from the
    discovery endpoint URL [{1}].
    CWWKS1758I: The OpenID Connect client [{0}] configuration is
    consistent with the information from the discovery endpoint URL
    [{1}], so no configuration updates are needed.
    CWWKS1759E: The required [{0}] configuration attribute is
    missing or empty and a default value is not provided.  Verify
    that the attribute is configured or discovered from the
    provider, that it is not empty, and that it does not consist of
    only white space characters.
    
    Any user application that may be checking for the original
    message numbers will not encounter any of the erroneous
    duplicates since the new messages are only emitted by the OIDC
    discovery feature.
    

Problem conclusion

  • The duplicate message numbers are re-numbered so that there are
    no conflicting message numbers:
    
    CWWKS1521E: The OpenID Connect client [{0}] failed to obtain
    Open ID Connect Provider endpoint information through the
    discovery endpoint URL [{1}]. Update the configuration for the
    OpenID Connect client with the correct HTTPS discovery endpoint
    URL.
    CWWKS1525E: A successful response was not returned from the URL
    [{0}]. This is the [{1}] response status and the [{2}] error
    from the discovery request.
    CWWKS1526I: The OpenID Connect client [{0}] configuration has
    been established with the information from the discovery
    endpoint URL [{1}]. This information enables the client to
    interact with the OpenID Connect provider to process the
    requests such as authorization and token.
    CWWKS1527I: The OpenID Connect client [{0}] configuration has
    been updated with the new information received from the
    discovery endpoint URL [{1}].
    CWWKS1528I: The OpenID Connect client [{0}] configuration is
    consistent with the information from the discovery endpoint URL
    [{1}], so no configuration updates are needed.
    CWWKS1529E: The required [{0}] configuration attribute is
    missing or empty and a default value is not provided. Verify
    that the attribute is configured or discovered from the
    provider, that it is not empty, and that it does not consist of
    only white space characters.
    
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 19.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH09706

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-03-13

  • Closed date

    2019-03-21

  • Last modified date

    2019-03-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels



Document information

More support for: WebSphere Application Server

Software version: CD0

Reference #: PH09706

Modified date: 21 March 2019