IBM Support

PH17304: OIDC RP CANNOT SEND A CONTENT-SECURITY-POLICY HEADER TO THE OPENID CONNECT PROVIDER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) cannot send a Content-Security-Policy
    HTTP header on the authentication request to the OpenID
    Provider (OP).  The WebSphere OIDC RP cannot interoperate with
    an OP if its web server is requiring a Content-Security-Policy.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All WebSphere Application Server users of   *
    *                  the OIDC RP TAI                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI cannot send a              *
    *                      Content-Security-Policy HTTP header     *
    *                      to the OP on the authentication         *
    *                      request.                                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix for this  *
    *                  APAR.                                       *
    ****************************************************************
    The OIDC TAI cannot send a Content-Security-Policy
    HTTP header on the authentication request to the OP.  The
    WebSphere OIDC RP cannot interoperate with an OP if its web
    server is requiring a Content-Security-Policy.
    

Problem conclusion

  • The OIDC RP TAI is updated to allow the
    Content-Security-Policy HTTP header to be sent to the OP on
    the authentication request.
    
    The following OIDC RP TAI custom property is added:
    provider_.contentSecurityPolicy
    
    This property is optional and does not have a default value.
    
    If you want a Content-Security-Policy HTTP header to be
    included in the initial login request that is sent to your OP,
    set the provider_<id>.contentSecurityPolicy property to the
    value that you want to use for the Content-Security-Policy
    HTTP header.  If your Content-Security-Policy value requires a
    nonce, you can use the %NONCE% keyword to indicate where the
    nonce should be placed in the text.  For example:
    script-src 'self' 'nonce-%NONCE%' ; object-src 'self';
    frame-src 'self'
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.17, 9.0.5.3.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH17304

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-09-24

  • Closed date

    2019-12-02

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021