Fixes are available
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
APAR status
Closed as program error.
Error description
rfc6749 shows that client_secret is REQUIRED but it also states: "The client MAY omit the parameter if the client secret is an empty string". The OIDC TAI is requring the provider_<id>.clientSecret custom property and is always sending the client_secret parameter to the OP regardless of its value.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenId Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC provider_<id>.clientSecret * * property should be optional * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes this APAR. * **************************************************************** The provider_<id>.clientSecret custom property is required by the OpenId Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI). Since the client_secret parameter may not be a required parameter by an OpenId Connect provider (OP), the provider_<id>.clientSecret custom property should not be required by the OIDC RP TAI.
Problem conclusion
The OIDC RP TAI is updated to make the provider_<id>.clientSecret property optional. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.17 and 9.0.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH14676
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-07-18
Closed date
2019-10-22
Last modified date
2019-10-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021