IBM Support

PH35185: OIDC RP MAY FAIL WITH CWTAI2007E SAYING A NOCE CLAIM IS REQUIRED WHEN THE NONCE IS PRESENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using the OpenID Connect TAI, if the
    provider_(id).responseType parameter is set to anything other
    than 'code' (the default value), the login might fail with the
    following error:
    
    CWTAI2007E: The OpenID Connect relying party (RP) encountered
    a failure during the login. The exception is
    [com.ibm.ws.security.oidc.client.RelyingPartyException: The
    OIDC RP encountered an error when valdating the nonce claim [A
    nonce claim is required in the idToken, but one is not
    present.]]. Check the logs for details that lead to this
    exception.
     at
    com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallbac
    k(RelyingParty.java:719)
     at
    com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidatean
    dEstablishTrust(RelyingParty.java:325)
     at
    com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablish
    edTrust(TAIWrapper.java:103)
     at
    com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(
    WebAuthenticator.java:438)
     at
    com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthent
    icator.java:3103)
    
    
    When OIDC traces are inspected, you may find that the nonce is
    returned from the server and see this error in the trace:
    
    [4.3.2021 10:02:29:078 CET] 0000010e JSONUtil      3
    hasClaim(obj,claimName) returns [true]
    [4.3.2021 10:02:29:078 CET] 0000010e JSONUtil      3   An
    error occurred when attempting to retrieve the [id_token]
    claim [com.google.gson.JsonArray incompatible with
    com.google.gson.JsonPrimitive]
    [4.3.2021 10:02:29:078 CET] 0000010e JSONUtil      3   The
    claim is optional; ignoring exception [An error occurred when
    attempting to retrieve the [id_token] claim
    [com.google.gson.JsonArray incompatible with
    com.google.gson.JsonPrimitive]].
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC login may fail with Implicit grant *
    *                      flow saying that nonce is not present   *
    *                      when it is.                             *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    If the OIDC TAI is configured to perform a login using the
    Implicit grant flow (provider_(id).responseType=id_token or
    token+id_token), the login may fail with the following error:
    CWTAI2007E: The OpenID Connect relying party (RP) encountered
    a failure during the login. The exception is
    [com.ibm.ws.security.oidc.client.RelyingPartyException: The
    OIDC RP encountered an error when valdating the nonce claim [A
    nonce claim is required in the idToken, but one is not
    present.]].
    

Problem conclusion

  • If the OIDC TAI is configured to perform a login using the
    Implicit grant flow (provider_(id).responseType=id_token or
    token+id_token), when TAI the receives the response from the OP,
    it is converted into a JSON string so that it can be processed b
    the rest of the runtime as if it had come from the code flow.
    
    There is an error in the method that creates the JSON string whe
    there is an element with only one entry.
    
    The OIDC TAI is updated so that it properly constructs the JSON
    string.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH35185

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-10

  • Closed date

    2021-04-07

  • Last modified date

    2021-04-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 December 2021