Fixes are available
APAR status
Closed as new function.
Error description
The OpenID Connect specification provides a feature to expose configuration data (e.g.endpoint URLs, methods, algorithms) via the well-known configuration endpoint. If a provider exposes that endpoint, the OIDC TAI should fetch configuration data from there instead of forcing user to configure them explicitly for the TAI.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI does not support * * discovery. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) automatically cannot load an OpenID provider's (OPs) configuration information. All of its' endpoints, methods, and algorithms must be entered into the OIDC TAI configuration manually.
Problem conclusion
The OIDC RP TAI is updated to obtain OP configuration information from the provider's Well-Known Configuration Endpoint. The following OIDC TAI configuration properties are added: provider.<id>.useDiscovery Defaults: This property defaults to true if a value is specified for the provider.<id>.discoveryEndpointUrl property, otherwise, it defaults to false. Description: If this property is set to true, but a value is not specified for the discoveryEndpointUrl property, the default value for the discoveryEndpointUrl property will be used for discovery. If this property is set to false, the value for the discoveryEndpointUrl property will be ignored. provider.<id>.discoveryEndpointUrl Defaults: If provider.<id>.useDiscovery is set to true, the default value for this property is (ISSUER_IDENTIFIER)/.well-known/openid-configuration. Description: Specifies the endpoint URL for invoking the OpenID Connect Provider's discovery endpoint. If the provider.<id>.useDiscovery property is set to false, the value for this property will be ignored. When this property is specified, the following properties will be obtained from the discovery result: [authorizeEndpointUrl, tokenEndpointUrl, userinfoEndpointUrl, revokeEndpointUrl, jwkEndpointUrl, tokenEndpointAuthMethod, issuerIdentifier, signatureAlgorithm]. When the discoveryEndpointUrl property is included in the OIDC TAI configuration, if any of these properties are also included in the configuration, their settings will be ignored. A request is sent to the discovery endpoint and the data that is returned is processed when the OIDC TAI is initialized. If a discovery endpoint is not accessible at the time that the TAI is initialized, then the OIDC TAI configuration entries associated with the discovery endpoint will not be active and its' requests will not be intercepted. The OIDC TAI does not refresh the data received from the discovery endpoint. If the OP changes its discovery information, then the application server must be restarted to use the new information. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.4. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH22195
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-13
Closed date
2020-05-19
Last modified date
2020-05-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021