IBM Support

PH18150: THE OIDC RP DOES NOT CHECK THE ID-TOKEN FOR AN ACR VALUE IF THE CONFIGURED AUTH ENDPOINT URL INCLUDES "ACR_VALUES"

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • For an OpenID Provider, multi-factor authentication may be
    controlled by adding an "acr_values" parameter to the
    authentication request.  When multi-factor authentication is
    being controlled in this way, the OP will return with an
    id-token that has an 'acr' claim that has the same value as
    the acr_values parameter.
    
    When the acr_values parameter is added to the
    provider_<id>.authorizeEndpointUrl OIDC TAI property,
    multi-factor authentication is triggered, and then the
    id-token has an 'acr' claim with the same value as acr_values
    parameter.  Authentication via OIDC will complete
    successfully.  However, the OIDC TAI does not check to make
    sure that 1) the id-token contains an 'acr' claim and 2) the
    'acr' claim is the same as the value for the acr_values
    parameter.  This is required when performing multi-factor
    authentication using the acr_values parameter.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and the OIDC TAI                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP TAI does not verify that    *
    *                      the acr claim of the idToken when the   *
    *                      auth endpoint contains an acr_values    *
    *                      parameter.                              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When an acr_values parameter is included on the
    provider_<id>.authorizeEndpointUrl OpenID Connect (OIDC)
    Relying Party (RP) Trust Association Interceptor (TAI) custom
    property, the OIDC TAI does not verify that the idToken that
    is returned from the OpenID Provider (OP) contains an
    'acr' claim that matches the value of the acr_values parameter.
    

Problem conclusion

  • The OIDC RP TAI is updated to recognize that an acr_values
    parameter is present in the value for the
    provider_<id>.authorizeEndpointUrl OIDC TAI custom property.
    
    If an acr_values parameter is present in the
    authorizeEndpointUrl string, when an idToken is returned from
    the OP, the TAI will verify that the idToken contains an 'acr'
    claim and that the value for the claim matches the value for
    the acr_values parameter.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.17 and 9.0.5.3.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH18150

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-10-16

  • Closed date

    2019-12-02

  • Last modified date

    2019-12-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels



Document information

More support for: WebSphere Application Server
General

Software version: 900

Reference #: PH18150

Modified date: 02 December 2019