IBM Support

PH12520: OIDC: ENABLE JWT SSO IN WEBSPHERE APPLICAITON SERVER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • WebSphere Application Server does not have the ability to
    use a JWT on an http request header for securing access to a
    protected resource.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: A resource cannot be secured using a    *
    *                      JWT on an http header                   *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    WebSphere Application Server does not have the ability to
    use a JWT on an http request header for access to a protected
    resource.
    

Problem conclusion

  • Currently, the OpenID Connect (OIDC) Trust Association
    Interceptor (TAI) only supports a tradtional OIDC flow.  If a
    JWT is sent on an HTTP request header, the JWT will not
    be validated and the request will be redirected to an OpenID
    provider (OP) for authentication.
    
    The OIDC TAI is updated so that it can accept JWTs on the http
    header to secure access to protected resources.
    
    The following OIDC TAI custom properties are added to enable
    this feature:
    
    ===============================
    provider_<id>.useJwtFromRequest
    
    Values: no (default), required, ifPresent
    
    Controls processing if a JWT is found in the http request
    Authorization header:
    
    no = do not use a JWT for authentication.  If a provider is
    configured, introspection of the JWT with the provider will be
    attempted.
    required = must use the JWT from the request.  A provider is not
    used.
    ifPresent = use a JWT if present.  If a JWT is missing or
    invalid, fall back to using the provider for authentication, if
    one is configured.
    
    ===============================
    provider_<id>.tokenReuse
    
    Values: true (default), false
    
    Specifies if a JWT can be used more than once.  If this property
    is set to false, then a JWT containing 'jti' claim cannot be
    reused.
    
    ===============================
    provider_<id>.audiences
    
    Values: Any comma-separated audience string or ALL_AUDIENCES
    
    Specifies a comma-separated list of trusted audiences to be
    verified against the 'aud' claim in the JsonWebToken.  If
    'ALL_AUDIENCES' is specified, then all are trusted.  An 'aud'
    claim must exist in the JWT if this property is set to a value.
    
    ===============================
    provider_<id>.setLtpaCookie
    
    Values: true, false (default)
    
    This property determines if the OIDC TAI will set an LTPA cookie
    in the response after successful authentication with inbound JWT
    This is supported only when useJwtFromRequest is set to either
    'required' or 'ifPresent'.
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.16 and 9.0.5.0.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH12520

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-05-28

  • Closed date

    2019-06-19

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022