Fixes are available
APAR status
Closed as program error.
Error description
Add an API to the OIDC TAI so that program developers can obtain an access tokens from an OP using grant_type=client_credentials.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: Add an API to the OIDC TAI to obtain * * access token from OP using * * grant_type=client_credentials * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) provides APIs to developers to obtain tokens from the subject and to obtain refreshed access tokens from an OpenID provider (OP) after they have expired. The OIDC TAI does not provide a way for a developer to just go get an access token from an OP.
Problem conclusion
The OIDC RP TAI is updated to allow a program developer to obtain an access token from an OP using the client_credentials grant type. The following OIDC RP TAI custom property is added: provider.<id>.grantType Default: none Values: client_credentials Description: Set this property to [client_credentials] if you want to enable the provider entry to be used to obtain an access token from the OpenID Provider's token endpoint using the client_credentials grant_type. You can obtain the access token using the OidcClientHelper.getClientCredentialsGrantAccessToken() API. When you specify the [grantType] property on a provider entry, that provider entry cannot be used for the OpenID Connect login flow. When a provider entry includes grantType=client_credentials, the tokenEndpointUrl and clientId properties are required and the clientSecret and scope properties are optional. The getClientCredentialsGrantAccessToken method is added to the com.ibm.websphere.security.oidc.util.OidcClientHelper class: /** * Retrieve an access token from the token endpoint * * An exception will be emitted in the following instances: * * * Trust Association is not enabled.</li> * * There is no valid OIDC RP TAI configuration entry * specifying grantType=client_credentials. * * An error occurs while obtaining the access token from * the token endpoint. * * An access token is not received from the token endpoint. * * @return The access token retrieved from the server * @throws Exception if one of the error outlined above occurs */ public static String getClientCredentialsGrantAccessToken() throws Exception {} The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.4. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH22621
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-25
Closed date
2020-05-19
Last modified date
2020-09-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021