Fixes are available
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as new function.
Error description
WebSphere Application Server does not have the ability to use a JWT on an http request header for securing access to a protected resource.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: A resource cannot be secured using a * * JWT on an http header * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** WebSphere Application Server does not have the ability to use a JWT on an http request header for access to a protected resource.
Problem conclusion
Currently, the OpenID Connect (OIDC) Trust Association Interceptor (TAI) only supports a tradtional OIDC flow. If a JWT is sent on an HTTP request header, the JWT will not be validated and the request will be redirected to an OpenID provider (OP) for authentication. The OIDC TAI is updated so that it can accept JWTs on the http header to secure access to protected resources. The following OIDC TAI custom properties are added to enable this feature: =============================== provider_<id>.useJwtFromRequest Values: no (default), required, ifPresent Controls processing if a JWT is found in the http request Authorization header: no = do not use a JWT for authentication. If a provider is configured, introspection of the JWT with the provider will be attempted. required = must use the JWT from the request. A provider is not used. ifPresent = use a JWT if present. If a JWT is missing or invalid, fall back to using the provider for authentication, if one is configured. =============================== provider_<id>.tokenReuse Values: true (default), false Specifies if a JWT can be used more than once. If this property is set to false, then a JWT containing 'jti' claim cannot be reused. =============================== provider_<id>.audiences Values: Any comma-separated audience string or ALL_AUDIENCES Specifies a comma-separated list of trusted audiences to be verified against the 'aud' claim in the JsonWebToken. If 'ALL_AUDIENCES' is specified, then all are trusted. An 'aud' claim must exist in the JWT if this property is set to a value. =============================== provider_<id>.setLtpaCookie Values: true, false (default) This property determines if the OIDC TAI will set an LTPA cookie in the response after successful authentication with inbound JWT This is supported only when useJwtFromRequest is set to either 'required' or 'ifPresent'. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.16 and 9.0.5.0. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH12520
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-05-28
Closed date
2019-06-19
Last modified date
2020-09-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
28 April 2022