IBM Support

PH21827: OIDC TAI: NOTSERIALIZABLEEXCEPTION FOR JWTCLAIMS ERROR MAY OCCUR

Fixes are available

PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using the Open ID Connect (OIDC) trust association
interceptor in WebSphere Application Server traditional, an
error may be reported by the DynaCache component that the
JwtClaims object is not serializable:

DYNA0052E: The cached object can not be
replicated or saved to disk. CacheID=1618033989
ClassName=com.ibm.ws.security.oidc.client.SessionData
Type=cache-value Exception=java.io.NotSerializableException:
org.jose4j.jwt.JwtClaims

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server and OIDC                             *
****************************************************************
* PROBLEM DESCRIPTION: java.io.NotSerializableException may    *
*                      occur when using the OIDC TAI           *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
When using the OpenID Connect (OIDC) trust association
interceptor (TAI), a java.io.NotSerializableException error for
the org.jose4j.jwt.JwtClaims object may occur.  When this
problem
happens, an entry like this will appear in the log:
DYNA0052E: The cached object can not be replicated or saved to
disk.  CacheID=1618033989
ClassName=com.ibm.ws.security.oidc.client.SessionData
Type=cache-value
Exception=java.io.NotSerializableException:
org.jose4j.jwt.JwtClaims

    



Problem conclusion


    

  • By default, the OIDC TAI stores data in a DynaCache object.
When used in a cluster envioronment, if the cache that OIDC
is configured to use is a shared with all the servers in the
cluster, then all the objects in the cache must be
serializable.

The SessionData object that OIDC stores in DynaCache includes
a org.jose4j.jwt.JwtClaims object.  This object is not
serializable.  When the DynaCache component attempts to
replicate a cache that contains a JwtClaims object, a
java.io.NotSerializableException error will occur.

The OIDC TAI is updated so that the org.jose4j.jwt.JwtClaims
object is no longer included in the OIDC session data.

As a result of this change, when using the OIDC TAI to
perform JWT authentication:
* The SessionData associated with each request is no longer
stored.  Since the JWT is verified for each request when
performing JWT authentication, the SessionData is not
needed.

* An org.jose4j.jwt.JwtClaims object is no longer stored on
the runAs Subject.  However, the access token from the request
is stored on the runAs Subject and is accessible via the
com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtFrom
Subject() API.  See the OIDCClientHelper Javadoc article in
the Knowledge Center for additional information:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.5
/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/se
curity/oidc/util/OidcClientHelper.html

The following methods are added to the
com.ibm.websphere.security.oidc.util.OidcClientHelper API:

getJwtClaimsAsString(String)
getJwtClaimsAsMap(String)
json2map(String)
getJwtFromSubject()
getJwtFromSubject(Subject)

/**
 * Get the JWT claims from a JWT as a JSON String.
 *
 * For example:
 * {"sub":"1234567890","name":"John Doe", "admin": true,
 * "exp":1588806453}
 *
 * @return The JWT claims JSON String
 * @throws Exception if an error occurs decoding the JWT
 */
public static String getJwtClaimsAsString(String jwtString)
throws Exception

/**
 * Get the JWT claims from a JWT as a Map.
 *
 * The Map will have value types that correspond to the
 * values in the claims string.  For instance,
 * the following claims string:
 * {"sub":"1234567890","name":"John Doe", "admin": true,
 * "exp":1588806453}
 *
 * will produce the map entries with the value types:
 * String, String, Boolean, Long
 *
 * @return The JWT claims JSON represented as a Map
 * @throws Exception if an error occurs decoding the JWT
 */
public static Map<String,Object> getJwtClaimsAsMap(String
jwtString) throws Exception

/**
 * Convert a JSON String to a Map.
 *
 * The Map will have value types that correspond to the
 * values in the JSON string.  For instance,
 * the following JSON string:
 * {"sub":"1234567890","name":"John Doe", "admin": true,
 * "exp":1588806453}
 *
 * will produce the map entries with the value types:
 * String, String, Boolean, Long
 *
 * @return A Map created from the JSON String
 * @throws Exception if an error occurs creating the Map
 */
public static Map<String,Object> json2map(String jsonString)
throws Exception

/**
 * Retrieve the JWT Authentication token from the current
 * runAs Subject.
 *
 * @return The JWT Authentication token String or null if
 * there is no JWT Authentication token on the Subject
 * @throws Exception if an error occurs either while
 * obtaining the runAs Subject or accessing the private
 * credentials.
 */
public static String getJwtFromSubject() throws Exception

/**
 * Retrieve the JWT Authentication token from the input
 * Subject.
 *
 * @return The JWT Authentication token String or null if
 * there is no JWT Authentication token on the Subject
 * @throws Exception if an error occurs when accessing the
 * private credentials in the Subject.
 */
public static String getJwtFromSubject(Subject subj) throws
Exception


The fix for this APAR is targeted for inclusion in fix
packs
8.5.5.18 and 9.0.5.5.  For more information, see
'Recommended
Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?
rs=180&uid=swg27004980

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH21827
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-02-05
    • 

  • Closed date
    2020-06-29
    • 

  • Last modified date
    2020-09-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE APP S
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            06 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback