[1.0.1.0 and later][Network Deployment 9.0.5.26 or
later]

OIDC known issues and limitations

Known issues and limitations exist when you use OpenID Connect (OIDC) in a WebSphere® Application Server Network Deployment cell that includes IBM® Modernized Runtime Extension for Java™ (MoRE) .

OIDC

The following are known issues and limitations for migrating an OIDC RelyingParty TAI to managed Liberty servers.
  • You can migrate an existing WebSphere Application Server OIDC RelyingParty TAI configuration to the managed Liberty servers in a cell.
    • Some OIDC TAI properties do not migrate.
    • Some properties and property values cause the migration to fail. In such cases, the managed Liberty server might do one or more of the following actions.
      • Intercept requests unexpectedly
      • Allow improper authentication of a user
      • Impact the user experience significantly
  • Although OIDC on WebSphere Application Server requires session affinity, OIDC on a managed Liberty server does not.
  • Only the default context root for OIDC is supported on managed Liberty servers.
    • When the openidConnectClient-1.0 feature is configured as a class name for a trust association interceptor, the oidcClientWebapp setting is not available.
    • When the RelyingParty TAI configuration is migrated to managed Liberty servers, any provider entry that has callbackServletContext set to anything other than /oidcclient is not migrated.
  • The following properties are not migrated from the WebSphere Application Server RelyingParty TAI to managed Liberty servers.
    • alwaysInvalidateAccessTokenOnLogout
    • clusterCaching
    • jndiCacheName
    • maxCookieSize
    • maxStateCacheSize
    • maxStateCookieSize
    • opServerConnectionTimeout
    • sessionCacheCleanupFrequency
    • sessionCacheSize
    • useStateCookies
    • useUniqueStateCookies
    • provider_(id).allowImplicitClientFlow
    • provider_(id).allowJwtIssuerSelection
    • provider_(id).contentSecurityPolicy
    • provider_(id).contentType
    • provider_(id).decryptKeyPassword
    • provider_(id).defaultRealmName
    • provider_(id).encodeNewline
    • provider_(id).encodeParameters
    • provider_(id).endSessionEndpoint
    • provider_(id).endSessionEndpointEnabled
    • provider_(id).endSessionRedirectUrl
    • provider_(id).endSessionUseLogoutExitPage
    • provider_(id).excludedPathFilter
    • provider_(id).httpOnly
    • provider_(id).includePortInDefaultRedirectUrl
    • provider_(id).interceptedPathFilter
    • provider_(id).introspectClientId
    • provider_(id).introspectClientSecret
    • provider_(id).jsonWebKeyFile
    • provider_(id).loginErrorUrl
    • provider_(id).postParameterCookieSize
    • provider_(id).refreshBeforeAccessTokenExpiresTime
    • provider_(id).refreshExpiredAccessToken
    • provider_(id).revokeAccessToken
    • provider_(id).revokeEndpointEnabled
    • provider_(id).revokeEndpointUrl
    • provider_(id).revokeTokensOnCacheEviction
    • provider_(id).sendOpErrorParamsToLoginErrorUrl
    • provider_(id).sessionCacheTimeoutMinutes
    • provider_(id).signatureAllowList
    • provider_(id).signatureDenyList
    • provider_(id).useDefaultIdentifierFirst
    • provider_(id).useIssuer
  • The following table lists the properties that cause migration from a WebSphere Application Server OIDC RelyingParty TAI configuration to managed Liberty servers in the cell to fail. If you encounter any of these failure conditions, an alternate configuration method is required. If your migration fails, a message is written to the SystemOut.log file on the node agent and the node agent trace.log file.
    • To see the migration information in the trace.log file, set the following trace specification for your node agents:
      • com.ibm.ws.report.*=all

    In the following table, if a global property matches a qualified property, only the qualified property is shown in the table.

    Table 1. Properties that cause migration to fail

    The table consists of four columns. The first column lists the property, followed by the failure condition column, the comments column, and the action column.

    Property Failure condition Comments Action
    provider_(id).allowJwtIssuerSelection Value is set to true The allowJwtIssuerSelection function is not available in the Liberty OIDC configuration. If you want to migrate the configuration, you must define an explicit filter to intercept requests. Do not set the provider_(id).allowJwtIssuerSelection, and ensure that your requests can be intercepted by using the provider_(id).filter property.
    provider_(id).callbackServletContext Value is set to anything other than /oidcclient (the default). Remove the provider_(id).callbackServletContext property or set the value to /oidcclient.
    provider_(id).contentSecurityPolicy Value is set to any value OIDC in Liberty cannot add a Content Security Policy (CSP) header to the outbound JavaScript. If you want to migrate the configuration, you must not include the contentSecurityPolicy property and modify your OP to not require a CSP for JavaScript requests. Do not include the contentSecurityPolicy property and modify your OP to not require a CSP for JavaScript requests.
    provider_(id).contentType Value is set to anything other than text/html; charset=UTF-8 OIDC in Liberty does not support customization of the Content-Type header in the outbound message to the OP. If you want to migrate this configuration, you must not include the contentType OIDC TAI property and modify your OP to not require a specific Content-Type. Do not include the contentType OIDC TAI property and modify your OP to not require a specific Content-Type.
    provider_(id).decryptKeyPassword Value is set to any value OIDC in Liberty does not support the use of a password on the key that is used to decrypt an encrypted JWT. If you want to migrate this configuration, you must: 1) remove the password from your key in the keystore and 2) remove the decryptKeyPassword OIDC TAI property.
    provider_(id).encodeParameters Value is set to true OIDC in Liberty does not support encoding the client_id and client_secret on requests to the OP. Set provider_(id).encodeParameters to false.
    provider_(id).endSessionEndpointEnabled Value is set to true OIDC in Liberty does not support the configuration of SP-Initiated logout in the same way that the OIDC TAI does, therefore the entire set of endSession properties do not work as expected. Make sure that the endSessionEndpointEnabled property is set to false (the default value) and modify your application to not require the configuration of the endSessioEndpoint.
    provider_(id).excludedPathFilter Value is set to any value This property operates only on the path portion of the request URL. Liberty does not have this function in the authFilter. Use the provider_(id).filter property instead.
    provider_(id).filter No instance of the filter property exists, or the value for the filter property contains logical OR (||) or regular expression (~=)
    1. Make sure that a filter property exists
    2. Make sure that the value for the filter property does not contain a logical OR (||)
    3. Make sure that the value for the filter property does not contain a regular expression (~=)
    provider_(id).interceptedPathFilter Value is set to any value This property operates only on the path portion of the request URL. Liberty does not have this function in the authFilter. Use the provider_(id).filter property instead.
    provider_(id).introspectClientId Value is set to any value OIDC in Liberty does not support sending a clientId to the introspected endpoint. Remove the introspectClientId property and modify your OP to not require a clientId for introspect requests.
    provider_(id).jsonWebKeyFile Value is set to any value OIDC in Liberty does not support the use of a JSON Web Key (JWK) in file format. Remove the jsonWebKeyFile property and make sure that you configure a signVerifyAlias or jwkEndpointUrl. The jwkEndpointUrl property can be in the configuration or obtained from the discovery endpoint.
    provider_(id).loginErrorUrl Value is set to any value OIDC in Liberty does not support redirecting to a customized error page upon authentication failure. Remove the provider_(id).loginErrorUrl property.
    provider_(id).signatureAlgorithm Value is set to HEADER (the default) When the signatureAlgorithm is set to HEADER (the default), the OIDC runtime to pull the algorithm for signature validation from the inbound JWT. OIDC in Liberty does not support this function. Find the signature algorithm that the OP uses to sign JWTs, then set that value for the signatureAlgorithm. An example is RS256.
    provider_(id).useDefaultIdentifierFirst Value is set to true OIDC in Liberty supports the use of only one claim name each for the groupIdentifier, issuerIdentifier, realmIdentifier, userIdentifier, and uniqueUserIdentifier properties. You cannot specify a custom claim name and expect the runtime to also use the default claim name. Remove the provider_(id).useDefaultIdentifierFirst property or set it to false.