IBM Support

PH14676: OIDC RP: OMIT CLIENT_SECRET OAUTH 2.0 PARAMETER IF THE CLIENT_SECRET IS AN EMPTY STRING

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • rfc6749 shows that client_secret is REQUIRED but it also
    states:  "The client MAY omit the parameter if the client
    secret is an empty string".
    
    The OIDC TAI is requring the provider_<id>.clientSecret custom
    property and is always sending the client_secret parameter to
    the OP regardless of its value.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenId Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC provider_<id>.clientSecret     *
    *                      property should be optional             *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    The provider_<id>.clientSecret custom property is required by
    the OpenId Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI).  Since the client_secret parameter may not
    be a required parameter by an OpenId Connect provider (OP), the
    provider_<id>.clientSecret custom property should not be
    required by the OIDC RP TAI.
    

Problem conclusion

  • The OIDC RP TAI is updated to make the
    provider_<id>.clientSecret property optional.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.17 and 9.0.5.2.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH14676

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-18

  • Closed date

    2019-10-22

  • Last modified date

    2019-10-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 October 2021