IBM Support

PH22195: OIDC RP: ENABLE USE OPENID PROVIDER'S WELL KNOWN CONFIGURATION URL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The OpenID Connect specification provides a feature to
    expose configuration data (e.g.endpoint URLs, methods,
    algorithms) via the well-known configuration endpoint. If a
    provider exposes that endpoint, the OIDC TAI should fetch
    configuration data from there instead of forcing user to
    configure them explicitly for the TAI.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI does not support           *
    *                      discovery.                              *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) automatically cannot load an OpenID
    provider's (OPs) configuration information.  All of its'
    endpoints, methods, and algorithms must be entered into the
    OIDC TAI configuration manually.
    

Problem conclusion

  • The OIDC RP TAI is updated to obtain OP configuration
    information from the provider's Well-Known Configuration
    Endpoint.
    
    The following OIDC TAI configuration properties are added:
    
    provider.<id>.useDiscovery
    Defaults:
    This property defaults to true if a value is specified for the
    provider.<id>.discoveryEndpointUrl property, otherwise, it
    defaults to false.
    
    Description:
    If this property is set to true, but a value is not specified
    for the discoveryEndpointUrl property, the default value for
    the discoveryEndpointUrl property will be used for discovery.
    If this property is set to false, the value for the
    discoveryEndpointUrl property will be ignored.
    
    provider.<id>.discoveryEndpointUrl
    Defaults:
    If provider.<id>.useDiscovery is set to true, the default
    value for this property is
    (ISSUER_IDENTIFIER)/.well-known/openid-configuration.
    
    Description:
    Specifies the endpoint URL for invoking the OpenID Connect
    Provider's discovery endpoint.  If the
    provider.<id>.useDiscovery property is set to false, the value
    for this property will be ignored.
    
    When this property is specified, the following properties will
    be obtained from the discovery result: [authorizeEndpointUrl,
    tokenEndpointUrl, userinfoEndpointUrl, revokeEndpointUrl,
    jwkEndpointUrl, tokenEndpointAuthMethod, issuerIdentifier,
    signatureAlgorithm].
    
    When the discoveryEndpointUrl property is included in the OIDC
    TAI configuration, if any of these properties are also
    included in the configuration, their settings will be ignored.
    A request is sent to the discovery endpoint and the data that
    is returned is processed when the OIDC TAI is initialized. If
    a discovery endpoint is not accessible at the time that the
    TAI is initialized, then the OIDC TAI configuration entries
    associated with the discovery endpoint will not be active and
    its' requests will not be intercepted.
    
    The OIDC TAI does not refresh the data received from the
    discovery endpoint. If the OP changes its discovery
    information, then the application server must be restarted to
    use the new information.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4.  For more information, see
    'Recommended Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH22195

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-13

  • Closed date

    2020-05-19

  • Last modified date

    2020-05-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021