IBM Support

PH22621: OIDC RP: ADD PROGRAMMATIC SUPPORT FOR GRANT_TYPE = CLIENT_CREDENTIALS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Add an API to the OIDC TAI so that program developers can
    obtain an access tokens from an OP using
    grant_type=client_credentials.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: Add an API to the OIDC TAI to obtain    *
    *                      access token from OP using              *
    *                      grant_type=client_credentials           *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) provides APIs to developers to obtain tokens
    from the subject and to obtain refreshed access tokens from an
    OpenID provider (OP) after they have expired.  The OIDC TAI
    does not provide a way for a developer to just go get an
    access token from an OP.
    

Problem conclusion

  • The OIDC RP TAI is updated to allow a program developer to
    obtain an access token from an OP using the client_credentials
    grant type.
    
    The following OIDC RP TAI custom property is added:
    
    provider.<id>.grantType
    Default: none
    
    Values: client_credentials
    
    Description:
    Set this property to [client_credentials] if you want to
    enable the provider entry to be used to obtain an access token
    from the OpenID Provider's token endpoint using the
    client_credentials grant_type.  You can obtain the access
    token using the
    OidcClientHelper.getClientCredentialsGrantAccessToken() API.
    When you specify the [grantType] property on a provider entry,
    that provider entry cannot be used for the OpenID Connect
    login flow.
    
    When a provider entry includes grantType=client_credentials,
    the tokenEndpointUrl and clientId properties are required and
    the clientSecret and scope properties are optional.
    
    The getClientCredentialsGrantAccessToken method is added to
    the com.ibm.websphere.security.oidc.util.OidcClientHelper class:
    
      /**
       * Retrieve an access token from the token endpoint
       *
       * An exception will be emitted in the following instances:
       *
       *  * Trust Association is not enabled.</li>
       *  * There is no valid OIDC RP TAI configuration entry
       *    specifying grantType=client_credentials.
       *  * An error occurs while obtaining the access token from
       *    the token endpoint.
       *  * An access token is not received from the token endpoint.
       *
       * @return The access token retrieved from the server
       * @throws Exception if one of the error outlined above occurs
       */
      public static String getClientCredentialsGrantAccessToken()
    throws Exception {}
    
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4.  For more information, see
    'Recommended Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH22621

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-25

  • Closed date

    2020-05-19

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
27 August 2021