Fixes are available
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
The OpenID Connect Relying Party TAI, by default, always includes the port number in the redirect_uri parameter that it sends to the OpenID provider. This can cause issues when administrators are registering the RP with their OpenID provider.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: OIDC RP always includes port number * * on redirect_uri parameter to OP * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes this APAR. * **************************************************************** The default for the redirect_uri parameter that is sent on requests to an OpenID Provider (OP) by the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) in WebSphere traditional always includes a port number. For instance: https://myenvironment.ibm.com:443/oidclient/client1 The WebSphere Liberty implementation of the OIDC RP does not include the port number. There should be a way for customers to be consistent when registering their redirect URIs with their OPs.
Problem conclusion
The following OIDC TAI custom property is added: provider_<id>.includePortInDefaultRedirectUrl Valid values are true and false. The default is true. Set this property to false if you do not want the OpenID Connect RP to include the port number in the redirect_uri parameter that is sent to the OpenID Provider (OP). This property only affects the default redirect_uri that is determined by the RP. If the provider_<id>.redirectToRPHostAndPort property is set to a value that includes a port number, the port will be included in the request to the OP. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.16 and 9.0.5.0. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH11107
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-04-16
Closed date
2019-05-06
Last modified date
2019-05-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
Document Information
Modified date:
28 April 2022