Fixes are available
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
APAR status
Closed as program error.
Error description
For an OpenID Provider, multi-factor authentication may be controlled by adding an "acr_values" parameter to the authentication request. When multi-factor authentication is being controlled in this way, the OP will return with an id-token that has an 'acr' claim that has the same value as the acr_values parameter. When the acr_values parameter is added to the provider_<id>.authorizeEndpointUrl OIDC TAI property, multi-factor authentication is triggered, and then the id-token has an 'acr' claim with the same value as acr_values parameter. Authentication via OIDC will complete successfully. However, the OIDC TAI does not check to make sure that 1) the id-token contains an 'acr' claim and 2) the 'acr' claim is the same as the value for the acr_values parameter. This is required when performing multi-factor authentication using the acr_values parameter.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and the OIDC TAI * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP TAI does not verify that * * the acr claim of the idToken when the * * auth endpoint contains an acr_values * * parameter. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When an acr_values parameter is included on the provider_<id>.authorizeEndpointUrl OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) custom property, the OIDC TAI does not verify that the idToken that is returned from the OpenID Provider (OP) contains an 'acr' claim that matches the value of the acr_values parameter.
Problem conclusion
The OIDC RP TAI is updated to recognize that an acr_values parameter is present in the value for the provider_<id>.authorizeEndpointUrl OIDC TAI custom property. If an acr_values parameter is present in the authorizeEndpointUrl string, when an idToken is returned from the OP, the TAI will verify that the idToken contains an 'acr' claim and that the value for the claim matches the value for the acr_values parameter. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.17 and 9.0.5.3. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH18150
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-10-16
Closed date
2019-12-02
Last modified date
2019-12-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021