Fixes are available
APAR status
Closed as new function.
Error description
When using the OpenID Connect Relying Party, if the user is not already logged in, the redirection to the OpenID Connect Provider is done via JavaScript embedded in a html page. For some applications, it would be better if the redirect is done with a standard HTTP 302. In Open Liberty OIDC, this is possible by setting property isClientSideRedirectSupported property to false
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP requires JavaScript and * * it should not. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) uses JavaScript when it redirects a user to the OP's authentication endpoint. If JavaScript is disabled, the OIDC TAI cannot be used.
Problem conclusion
The OIDC TAI uses JavaScript to save the original URL as it came from the browser. If the URL contains a fragment, the fragment does not get passed into the application server. A JavaScript is used to access the oringal URL and write it out to a cookie that we can read later. The OIDC TAI is updated so that JavaScript is not required. However, when JavaScript is not used, if the original URL from the browser contains a fragment, the fragment will be lost upon final redirect to the application. The following OIDC TAI property is added: provider.<id>.useJavaScript Default: true Description: When this property is set to true, JavaScript will be used when the TAI redirects to the OP's authentication endpoint. When this property is set to false, JavaScript will not be used. Also, if the original URL contains a fragment, upon final redirection to the application, the URL will no longer contain the fragment. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.4. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH23572
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-03-23
Closed date
2020-05-19
Last modified date
2020-05-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021