IBM Support

PH20118: OIDC RP: SHOULD NOT REQUIRE SCOPE CLAIM ON RESPONSE FROM OP

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect Relying Party should not require the scope
    claim in the response from an OpenID Provider.  The scope
    claim is OPTIONAL.
    
    The OpenID Connect RP emits and error and the request fails if
    a scope claim is not received from an OP if a scope claim is
    not received from an introspection endpoint.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC RP is requiring a scope claim in   *
    *                      the                                     *
    *                      response from an introspect endpoint,   *
    *                      but                                     *
    *                      it should be optional.                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes                                    *
    *                  this APAR.                                  *
    ****************************************************************
    The scope claim is not required in the response from
    introspection
    endpoint on an OpenID Provider (OP).  If the OpenID Connect
    (OIDC)
    Relying Party (RP) Trust Association Interceptor (TAI) receives
    a
    response without a scope claim from an introspection endpoint,
    an
    error will occur.
    

Problem conclusion

  • The OIDC TAI is updated so that it does not require the scope cl
    in an response from an introspection endpoint.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 8.5.5.18 and 9.0.5.3.  Please refer to the Recommended Upda
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH20118

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-10

  • Closed date

    2020-01-21

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021