IBM Support

PH15248: OIDCCLIENTHELPER METHODS MAY RETURN NULL UNEXPECTEDLY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • With the OIDC RP, after initial login, the OIDC information is
    placed on the runAs Subject.  If an application attempts to
    retrieve the OIDC information from a Subject some time after
    the initial login, the information may not be found because
    the private credentials are empty.
    
    This issue seems to be related to attempting to access the
    Subject from a JAAS login.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenId Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: OidcClientHelper may return null when   *
    *                      OIDC attributes should be present on    *
    *                      the Subject.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    When a method in the
    com.ibm.websphere.security.oidc.util.OidcClientHelper class is
    used to retrieve OpenId Connect (OIDC) Relying Party (RP)
    information from a WebSphere subject, the method may return
    null even though there should be OIDC information on the
    Subject.
    

Problem conclusion

  • The methods in the
    com.ibm.websphere.security.oidc.util.OidcClientHelper class
    operate on the runAs subject.  If you are running the methods
    from a business application, the methods will work as
    expected.  However, if you are running the methods from a
    JAAS login module, there are conditions where the runAs
    subject may not be updated with the OIDC data, but the JAAS
    Subject has.  In this case, the methods will return null.
    
    The com.ibm.websphere.security.oidc.util.OidcClientHelper
    class is updated to add new methods that allow you to pass in
    the Subject upon which it will operate instead of using the
    runAs subject.  The new methods are:
    
      /**
       * Retrieve the ID token from the input Subject
       *
       * @return JSON String representation of the ID token or
       * null if there is no ID token on the Subject
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getIdTokenFromSubject(Subject subj)
      throws Exception;
    
      /**
       * Retrieve the access token from the input Subject
       *
       * @return JSON String representation of the Access token
       * or null if there is no access token on the Subject
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getAccessTokenFromSubject(Subject subj)
      throws Exception;
    
      /**
       * Retrieve the refresh token from the input Subject
       *
       * @return JSON String representation of the refresh token
       * or null if there is no refresh token on the Subject
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getRefreshTokenFromSubject(Subject
      subj) throws Exception;
    
      /**
       * Retrieve the token type from the input Subject
       *
       * @return The token type or null if there is no token type
       * on the Subject
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getTokenTypeFromSubject(Subject subj)
      throws Exception;
    
      /**
       * Retrieve the scope of the access token from the input
       * Subject
       *
       * @return The scope of the access token or null if there
       * is no scope on the Subject
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getScopeFromSubject(Subject subj)
      throws Exception;
    
      /**
       * Retrieve the userInfo associated with the access token
       * from the input Subject.
       * If there is a userinfoEndpointUrl configured for the
       * access token on the Subject, this method will return the
       * userInfo associated with the access token.
       *
       * @return The userInfo associated with the access token or
       * null if there is no userInfo on the Subject
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getUserInfoFromSubject(Subject subj)
      throws Exception;
    
      /**
      * Retrieve a valid access token based on the access token
      * in the input Subject.
       * A null value will be returned in the following instances:
       *
       *  * The input subject is null.
       *  * Trust Association is not enabled.
       *  * The OIDC RP TAI is not configured and successfully
       *  * initialized.
       *  * There is no access token on the input Subject.
       *  * There are any errors while attempting to obtain the
       *  * OIDC session data associated with the access token
       *    on the input Subject.
       *  * The access token on the input Subject has expired and
       *    there is no refresh token associated with the access
       *    token.
       *  * The access token on the input Subject has expired and
       *    any error occurs while attempting to refresh the
       *    token.
       *  * The access token on the input Subject has expired and
       *    any error occurs while updating the OIDC session
       *    data.
       *
       * If the access token retrieved from the input subject has
       * expired and is successfully refreshed, the following will
       * be updated with the new access token:
       *
       *   * Its associated OIDC session data
       *   * The input Subject
       *
       * This method will only throw an exception if errors occur
       * related to the initial processing of the input Subject.
       * If an error occurs after information has been retrieved
       * from the input Subject, an FFDC entry will be created, but
       * the exception will not be emitted by this method and the
       * method will return null in most cases.  If the access
       * token has been refreshed, but the input Subject cannot
       * be updated, an FFDC will be emitted and the method will
       * return the new access token.
       * If there is a userinfoEndpointUrl configured for the
       * access token, the user info will also be refreshed.
       *
       * @return JSON String representation of a valid access
       * token or null if the conditions listed above are true.
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getValidAccessToken(Subject subj)
      throws Exception;
    
      /**
       * Retrieve the userInfo for the associated with the access
       token from the configured userinfoEndpointUrl.
       * A null value will be returned in the following instances:
       *
       *  * The input subject is null.
       *  * Trust Association is not enabled.
       *  * The OIDC RP TAI is not configured and successfully
       *    initialized.
       *  * There is no access token on the input Subject.
       *  * There are any errors while attempting to obtain the
       *    OIDC session data associated with the access token on
       *    the input Subject.
       *  * There is no userinfoEndpointUrl configured for the
       *    access token on the input Subject.
       *  * If the access token on the input Subject has expired,
       *    any errors occur when attempting to refresh the
       *    access token.
       *  * An error occurred while obtaining the user info from
       *    the user info endpoint.
       *
       * If the user info is successfully retrieved server, the
       * following will be updated with the new user info:
       *
       *   * Its associated OIDC session data
       *   * The input Subject
       *
       * @return The userInfo retrieved from the server for the
       * associated with the access token or null in the cases
       * outlined above
       * @throws Exception if an error occurs when accessing the
       * private credentials in the Subject.
       */
      public static String getUserInfoFromServer(Subject subj)
      throws Exception;
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.17 and 9.0.5.3.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH15248

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-02

  • Closed date

    2019-10-29

  • Last modified date

    2019-10-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021