OIDC known issues and limitations
Known issues and limitations exist when you use OpenID Connect (OIDC) in a WebSphere® Application Server Network Deployment cell that includes IBM® Modernized Runtime Extension for Java™ (MoRE)
.
OIDC
The following are known issues and limitations for migrating an OIDC
RelyingParty TAI to managed Liberty servers.- You can migrate an existing WebSphere Application Server OIDC
RelyingParty TAI configuration to the managed Liberty servers in a cell.
- Some OIDC TAI properties do not migrate.
- Some properties and property values cause the migration to fail. In such cases, the managed Liberty server might do one or more of the following actions.
- Intercept requests unexpectedly
- Allow improper authentication of a user
- Impact the user experience significantly
- Although OIDC on WebSphere Application Server requires session affinity, OIDC on a managed Liberty server does not.
- Only the default context root for OIDC is supported on managed Liberty servers.
- When the
openidConnectClient-1.0feature is configured as a class name for a trust association interceptor, theoidcClientWebappsetting is not available. - When the
RelyingPartyTAI configuration is migrated to managed Liberty servers, any provider entry that hascallbackServletContextset to anything other than/oidcclientis not migrated.
- When the
- The following properties are not migrated from the WebSphere Application Server RelyingParty TAI to managed Liberty servers.
- alwaysInvalidateAccessTokenOnLogout
- clusterCaching
- jndiCacheName
- maxCookieSize
- maxStateCacheSize
- maxStateCookieSize
- opServerConnectionTimeout
- sessionCacheCleanupFrequency
- sessionCacheSize
- useStateCookies
- useUniqueStateCookies
- provider_(id).allowImplicitClientFlow
- provider_(id).allowJwtIssuerSelection
- provider_(id).contentSecurityPolicy
- provider_(id).contentType
- provider_(id).decryptKeyPassword
- provider_(id).defaultRealmName
- provider_(id).encodeNewline
- provider_(id).encodeParameters
- provider_(id).endSessionEndpoint
- provider_(id).endSessionEndpointEnabled
- provider_(id).endSessionRedirectUrl
- provider_(id).endSessionUseLogoutExitPage
- provider_(id).excludedPathFilter
- provider_(id).httpOnly
- provider_(id).includePortInDefaultRedirectUrl
- provider_(id).interceptedPathFilter
- provider_(id).introspectClientId
- provider_(id).introspectClientSecret
- provider_(id).jsonWebKeyFile
- provider_(id).loginErrorUrl
- provider_(id).postParameterCookieSize
- provider_(id).refreshBeforeAccessTokenExpiresTime
- provider_(id).refreshExpiredAccessToken
- provider_(id).revokeAccessToken
- provider_(id).revokeEndpointEnabled
- provider_(id).revokeEndpointUrl
- provider_(id).revokeTokensOnCacheEviction
- provider_(id).sendOpErrorParamsToLoginErrorUrl
- provider_(id).sessionCacheTimeoutMinutes
- provider_(id).signatureAllowList
- provider_(id).signatureDenyList
- provider_(id).useDefaultIdentifierFirst
- provider_(id).useIssuer
- The following table lists the properties that cause migration from a WebSphere Application Server OIDC RelyingParty TAI configuration to managed
Liberty servers in the cell to fail. If you
encounter any of these failure conditions, an alternate
configuration method is required. If your migration fails, a message is written to the
SystemOut.logfile on the node agent and the node agenttrace.logfile.- To see the migration information in the
trace.logfile, set the following trace specification for your node agents:com.ibm.ws.report.*=all
In the following table, if a global property matches a qualified property, only the qualified property is shown in the table.
Table 1. Properties that cause migration to fail The table consists of four columns. The first column lists the property, followed by the failure condition column, the comments column, and the action column.
Property Failure condition Comments Action provider_(id).allowJwtIssuerSelection Value is set to true The allowJwtIssuerSelectionfunction is not available in the Liberty OIDC configuration. If you want to migrate the configuration, you must define an explicit filter to intercept requests.Do not set the provider_(id).allowJwtIssuerSelection, and ensure that your requests can be intercepted by using the provider_(id).filter property. provider_(id).callbackServletContext Value is set to anything other than /oidcclient(the default).Remove the provider_(id).callbackServletContextproperty or set the value to/oidcclient.provider_(id).contentSecurityPolicy Value is set to any value OIDC in Liberty cannot add a Content Security Policy (CSP) header to the outbound JavaScript. If you want to migrate the configuration, you must not include the contentSecurityPolicyproperty and modify your OP to not require a CSP for JavaScript requests.Do not include the contentSecurityPolicyproperty and modify your OP to not require a CSP for JavaScript requests.provider_(id).contentType Value is set to anything other than text/html; charset=UTF-8OIDC in Liberty does not support customization of the Content-Type header in the outbound message to the OP. If you want to migrate this configuration, you must not include the contentTypeOIDC TAI property and modify your OP to not require a specific Content-Type.Do not include the contentTypeOIDC TAI property and modify your OP to not require a specific Content-Type.provider_(id).decryptKeyPassword Value is set to any value OIDC in Liberty does not support the use of a password on the key that is used to decrypt an encrypted JWT. If you want to migrate this configuration, you must: 1) remove the password from your key in the keystore and 2) remove the decryptKeyPasswordOIDC TAI property.provider_(id).encodeParameters Value is set to trueOIDC in Liberty does not support encoding the client_idandclient_secreton requests to the OP.Set provider_(id).encodeParameters to false. provider_(id).endSessionEndpointEnabled Value is set to trueOIDC in Liberty does not support the configuration of SP-Initiated logout in the same way that the OIDC TAI does, therefore the entire set of endSessionproperties do not work as expected.Make sure that the endSessionEndpointEnabledproperty is set tofalse(the default value) and modify your application to not require the configuration of theendSessioEndpoint.provider_(id).excludedPathFilter Value is set to any value This property operates only on the pathportion of the request URL. Liberty does not have this function in theauthFilter.Use the provider_(id).filter property instead. provider_(id).filter No instance of the filterproperty exists, or the value for thefilterproperty contains logical OR (||) or regular expression (~=)- Make sure that a
filterproperty exists - Make sure that the value for the
filterproperty does not contain a logical OR (||) - Make sure that the value for the
filterproperty does not contain a regular expression (~=)
provider_(id).interceptedPathFilter Value is set to any value This property operates only on the pathportion of the request URL. Liberty does not have this function in theauthFilter.Use the provider_(id).filter property instead. provider_(id).introspectClientId Value is set to any value OIDC in Liberty does not support sending a clientIdto the introspected endpoint.Remove the introspectClientIdproperty and modify your OP to not require aclientIdfor introspect requests.provider_(id).jsonWebKeyFile Value is set to any value OIDC in Liberty does not support the use of a JSON Web Key (JWK) in file format. Remove the jsonWebKeyFileproperty and make sure that you configure asignVerifyAliasorjwkEndpointUrl. ThejwkEndpointUrlproperty can be in the configuration or obtained from the discovery endpoint.provider_(id).loginErrorUrl Value is set to any value OIDC in Liberty does not support redirecting to a customized error page upon authentication failure. Remove the provider_(id).loginErrorUrl property. provider_(id).signatureAlgorithm Value is set to HEADER(the default)When the signatureAlgorithmis set to HEADER (the default), the OIDC runtime to pull the algorithm for signature validation from the inbound JWT. OIDC in Liberty does not support this function.Find the signature algorithm that the OP uses to sign JWTs, then set that value for the signatureAlgorithm. An example is RS256.provider_(id).useDefaultIdentifierFirst Value is set to trueOIDC in Liberty supports the use of only one claim name each for the groupIdentifier,issuerIdentifier,realmIdentifier,userIdentifier, anduniqueUserIdentifierproperties. You cannot specify a custom claim name and expect the runtime to also use the default claim name.Remove the provider_(id).useDefaultIdentifierFirst property or set it to false. - To see the migration information in the