IBM Support

PH11107: OIDC RP ALWAYS INCLUDES PORT NUMBER ON REDIRECT_URI PARAMETER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect Relying Party TAI, by default, always
    includes the port number in the redirect_uri parameter that it
    sends to the OpenID provider.  This can cause issues when
    administrators are registering the RP with their OpenID
    provider.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC RP always includes port number     *
    *                      on redirect_uri parameter to OP         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    The default for the redirect_uri parameter that is sent on
    requests to an OpenID Provider (OP) by the OpenID Connect
    (OIDC) Relying Party (RP) Trust Association Interceptor (TAI)
    in WebSphere traditional always includes a port number.  For
    instance:
    https://myenvironment.ibm.com:443/oidclient/client1
    The WebSphere Liberty implementation of the OIDC RP does not
    include the port number.
    There should be a way for customers to be consistent when
    registering their redirect URIs with their OPs.
    

Problem conclusion

  • The following OIDC TAI custom property is added:
    
    provider_<id>.includePortInDefaultRedirectUrl
    
    Valid values are true and false.  The default is true.
    
    Set this property to false if you do not want the OpenID
    Connect RP to include the port number in the redirect_uri
    parameter that is sent to the OpenID Provider (OP). This
    property only affects the default redirect_uri that is
    determined by the RP.  If the
    provider_<id>.redirectToRPHostAndPort property is set to a
    value that includes a port number, the port will be included
    in the request to the OP.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.16 and 9.0.5.1.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH11107

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-04-16

  • Closed date

    2019-05-06

  • Last modified date

    2019-05-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels



Document information

More support for: WebSphere Application Server
General

Software version: 900

Reference #: PH11107

Modified date: 06 May 2019