IBM Support

PH22038: OIDC RP: SESSION COOKIE NAME SHOULD TO BE RELATED TO PROVIDER_<ID>.IDENTIFIER BUT RELATED TO PROVIDER_<ID>.CLIENTID

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • OIDC session cookie name supposed to be related to the
    provider_<id>.identifier but related to provider_<id>.clientID
    instead.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC RP session cookies might be        *
    *                      overwritten if more than one TAI        *
    *                      config entry uses the same clientId.    *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) session cookies might be overwritten if two
    provider entries use the same clientId on the same or
    different OpenID providers (OPs).
    

Problem conclusion

  • The OIDC RP is using the value for the provier.<id>.clientId
    property to qualify each session cookie name for a provider
    configuration entry.  Therefore, if more than one provider
    entry used the same value for clientId, the cookie names would
    be the same.
    
    The OIDC RP TAI is updated to use the provier.<id>.providerId
    property to qualify the session cookie name.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4.  For more information, see
    'Recommended Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH22038

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-11

  • Closed date

    2020-04-09

  • Last modified date

    2020-04-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021