IBM Support

PH10892: OIDC RP HAS NO API FOR OBTAINING TOKENS OR MANUALLY TRIGGERING ACCESS TOKEN REFRESH

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Although you can programmatically obtain, from the runAs
    Subject, the token information associated with OpenID Connect,
    there are no easy to use APIs to obtain this information.  There
    are also no APIs that can be used to trigger operations, such
    as refreshing an expired access token or obtaining the latest
    user information from the OpenID provider.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP does not have methods to    *
    *                      programmatically obtain tokens or       *
    *                      perform operations.                     *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect Relying Party does not have APIs available
    to obtain its ID token, access token and other associated
    information from the runAs Subject.
    

Problem conclusion

  • The following utility class is added to the OpenID Connect
    (OIDC) Relying Party:
    
    com.ibm.websphere.security.oidc.util.OidcClientHelper
    
    This class can be found in the following jars:
    
    (washome)/plugins/com.ibm.ws.security.oidc.client.jar
    (washome)/dev/was_public.jar
    
    The following methods are available in the new class:
    
    public static String getIdTokenFromSubject();
    public static String getAccessTokenFromSubject();
    public static String getRefreshTokenFromSubject();
    public static String getTokenTypeFromSubject();
    public static String getUserInfoFromSubject();
    public static String getValidAccessToken();
    public static String getUserInfoFromServer();
    public static Subject getRunAsSubject();
    
    
    Following is the javadoc for the new methods:
    
    /**
    * Retrieve the ID token from the current runAs Subject.
    *
    * @return JSON String representation of the ID token or null
    * if there is no ID token on the Subject
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getIdTokenFromSubject();
    
    
    /**
    * Retrieve the access token from the current runAs Subject.
    *
    * @return JSON String representation of the Access token or
    * null if there is no access token on the Subject
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getAccessTokenFromSubject();
    
    
    /**
    * Retrieve the refresh token from the current runAs Subject.
    *
    * @return JSON String representation of the refresh token or
    * null if there is no refresh token on the Subject
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getRefreshTokenFromSubject();
    
    
    /**
    * Retrieve the token type from the current runAs Subject.
    *
    * @return The token type or null if there is no token type on
    * the Subject
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getTokenTypeFromSubject();
    
    
    /**
    * Retrieve the scope of the access token from the current runAs
    * Subject.
    *
    * @return The scope of the access token or null if there is no
    * scope on the Subject
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getScopeFromSubject();
    
    
    /**
    * Retrieve the userInfo associated with the access token from
    * the current runAs Subject.
    *
    * If there is a userinfoEndpointUrl configured for the access
    * token on the Subject, this method will return the userInfo
    * associated with the access token.
    *
    * @return The userInfo associated with the access token or null
    * if there is no userInfo on the Subject
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getUserInfoFromSubject();
    
    
    /**
    * Retrieve a valid access token based on the access token in
    * the current runAs Subject.
    *
    * A null value will be returned in the following instances:
    *
    * Trust Association is not enabled.
    * The OIDC RP TAI is not configured and successfully initialized
    * There is no access token on the runAs Subject.
    * There are any errors while attempting to obtain the OIDC
    *   session data associated with the access token on the runAs
    *   Subject.
    * The access token on the runAs Subject has expired and there
    *   is no refresh token associated with the access token.
    * The access token on the runAs Subject has expired and any
    *   error occurs while attempting to refresh the token.
    * The access token on the runAs Subject has expired and any
    *   error occurs while updating the OIDC session data.
    *
    * If the access token retrieved from the runAs subject has
    * expired and is successfully refreshed, the following will be
    * updated with the new access token:
    *
    * Its associated OIDC session data
    * The runAs Subject
    *
    * This method will only throw an exception if errors occur
    * related to the initial processing of the runAs Subject.
    *
    * If an error occurs after information has been retrieved from
    * the runAs Subject, an FFDC entry will be created, but the
    * exception will not be emitted by this method and the method
    * will return null in most cases.  If the access token has been
    * refreshed, but the runAs Subject cannot be updated, an FFDC
    * will be emitted and the method will return the new access
    * token.
    *
    * If there is a userinfoEndpointUrl configured for the access
    * token, the user info will also be refreshed.
    *
    * @return JSON String representation of a valid access token or
    * null if the conditions listed above are true.
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getValidAccessToken();
    
    
    /**
    * Retrieve the userInfo for the associated with the access
    * token from the configured userinfoEndpointUrl.  A null value
    * will be returned in the following instances:
    *
    * Trust Association is not enabled.
    * The OIDC RP TAI is not configured and successfully
    *   initialized
    * There is no access token on the runAs Subject.
    * There are any errors while attempting to obtain the OIDC
    *   session data associated with the access token on the runAs
    *   Subject.
    * There is no userinfoEndpointUrl configured for the access
    *   token on the runAs Subject.
    * If the access token on the runAs Subject has expired, any
    *   errors occur when attempting to refresh the access token.
    * An error occurred while obtaining the user info from the
    *   user info endpoint.
    *
    * If the user info is successfully retrieved server, the
    * following will be updated with the new user info:
    *
    * Its associated OIDC session data
    * The runAs Subject
    *
    * @return The userInfo retrieved from the server for the
    * associated with the access token or null in the cases
    * outlined above.
    *
    * @throws Exception if an error occurs either while obtaining
    * the runAs Subject or accessing the private credentials.
    */
    
    public static String getUserInfoFromServer();
    
    
    /**
    * getRunAsSubject returns a JAAS subject that represents the
    * RunAs identity.
    *
    * @return A JAAS subject that represents the RunAs identity.
    *
    * @throws Exception if an error occurs while obtaining the
    * runAs Subject
    */
    
    public static Subject getRunAsSubject();
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.16 and 9.0.5.0.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH10892

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-04-10

  • Closed date

    2019-06-19

  • Last modified date

    2019-06-19

  • APAR is sysrouted FROM one or more of the following:

    PH09691

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCVS22","label":"General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
19 June 2019