IBM Support

PH15626: OIDC RP: ENABLE CONFIGURATION OF A LOGIN ERROR URL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OIDC RP always emits a 401 in the browser when
    authentication fails.  The OIDC RP should give the ability to
    redirect to an error page.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenId Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Allow configuration of a login error    *
    *                      url for OpenId Connect                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes this APAR.                         *
    ****************************************************************
    When using the OpenId Connect (OIDC) Relying Party (RP) Trust
    Association Interceptor (TAI), if user authentication fails and
    the OpenId Connect provider does not have its own error page, a
    401 is displayed in the browser window.  Administrators may
    want to take different actions to implement more user-friendly
    behavior.
    

Problem conclusion

  • The OIDC TAI is updated to allow an administrator to configure
    an error page to which to redirect when a login fails.  This
    function only works if the OP redirects back to the RP on
    error.  Not all OPs do this.
    
    Two new custom properties are added to the OIDC TAI:
    loginErrorUrl and sendOpErrorParamsToLoginErrorUrl.
    
    =======================
    provider_<id>.loginErrorUrl
    
    Values:
    This property does not have a default value.
    
    Description:
    Specifies the URL to which the Relying Party should redirect
    when a login error is received from an OpenID Connect Provider.
    
    =======================
    provider_<id>.sendOpErrorParamsToLoginErrorUrl
    
    Values:
    true
    false (the default)
    
    Description:
    When this property is set to true, the Relying Party will
    forward to the error URL, the error, error_description, and
    error_uri parameters that were received from the OpenID
    Connect Provider.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.17 and 9.0.5.2.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH15626

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-14

  • Closed date

    2019-10-22

  • Last modified date

    2019-10-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021