IBM Support

PH22195: OIDC RP: ENABLE USE OPENID PROVIDER'S WELL KNOWN CONFIGURATION URL

Fixes are available

PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The OpenID Connect specification provides a feature to
expose configuration data (e.g.endpoint URLs, methods,
algorithms) via the well-known configuration endpoint. If a
provider exposes that endpoint, the OIDC TAI should fetch
configuration data from there instead of forcing user to
configure them explicitly for the TAI.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server and OpenID Connect                   *
****************************************************************
* PROBLEM DESCRIPTION: The OIDC TAI does not support           *
*                      discovery.                              *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
The OpenID Connect (OIDC) Relying Party (RP) Trust Association
Interceptor (TAI) automatically cannot load an OpenID
provider's (OPs) configuration information.  All of its'
endpoints, methods, and algorithms must be entered into the
OIDC TAI configuration manually.

    



Problem conclusion


    

  • The OIDC RP TAI is updated to obtain OP configuration
information from the provider's Well-Known Configuration
Endpoint.

The following OIDC TAI configuration properties are added:

provider.<id>.useDiscovery
Defaults:
This property defaults to true if a value is specified for the
provider.<id>.discoveryEndpointUrl property, otherwise, it
defaults to false.

Description:
If this property is set to true, but a value is not specified
for the discoveryEndpointUrl property, the default value for
the discoveryEndpointUrl property will be used for discovery.
If this property is set to false, the value for the
discoveryEndpointUrl property will be ignored.

provider.<id>.discoveryEndpointUrl
Defaults:
If provider.<id>.useDiscovery is set to true, the default
value for this property is
(ISSUER_IDENTIFIER)/.well-known/openid-configuration.

Description:
Specifies the endpoint URL for invoking the OpenID Connect
Provider's discovery endpoint.  If the
provider.<id>.useDiscovery property is set to false, the value
for this property will be ignored.

When this property is specified, the following properties will
be obtained from the discovery result: [authorizeEndpointUrl,
tokenEndpointUrl, userinfoEndpointUrl, revokeEndpointUrl,
jwkEndpointUrl, tokenEndpointAuthMethod, issuerIdentifier,
signatureAlgorithm].

When the discoveryEndpointUrl property is included in the OIDC
TAI configuration, if any of these properties are also
included in the configuration, their settings will be ignored.
A request is sent to the discovery endpoint and the data that
is returned is processed when the OIDC TAI is initialized. If
a discovery endpoint is not accessible at the time that the
TAI is initialized, then the OIDC TAI configuration entries
associated with the discovery endpoint will not be active and
its' requests will not be intercepted.

The OIDC TAI does not refresh the data received from the
discovery endpoint. If the OP changes its discovery
information, then the application server must be restarted to
use the new information.

The fix for this APAR is targeted for inclusion in fix packs
8.5.5.18 and 9.0.5.4.  For more information, see
'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH22195
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-02-13
    • 

  • Closed date
    2020-05-19
    • 

  • Last modified date
    2020-05-19
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            06 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback