IBM Support

PH23572: OIDC RP CODE FLOW CAN NOT BE USED IF JAVASCRIPT IS NOT ENABLED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • When using the OpenID Connect Relying Party, if the user is
    not already logged in, the redirection to the OpenID Connect
    Provider is done via JavaScript embedded in a html page.
    
    For some applications, it would be better if the redirect is
    done with a standard HTTP 302.
    
    In Open Liberty OIDC, this is possible by setting property
    isClientSideRedirectSupported property to false
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP requires JavaScript and     *
    *                      it should not.                          *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenID Connect (OIDC) Relying Party (RP) Trust Association
    Interceptor (TAI) uses JavaScript when it redirects a user to
    the OP's authentication endpoint.  If JavaScript is disabled,
    the OIDC TAI cannot be used.
    

Problem conclusion

  • The OIDC TAI uses JavaScript to save the original URL as it
    came from the browser.  If the URL contains a fragment, the
    fragment does not get passed into the application server.  A
    JavaScript is used to access the oringal URL and write it out
    to a cookie that we can read later.
    
    The OIDC TAI is updated so that JavaScript is not required.
    However, when JavaScript is not used, if the original URL from
    the browser contains a fragment, the fragment will be lost
    upon final redirect to the application.
    
    The following OIDC TAI property is added:
    
    provider.<id>.useJavaScript
    
    Default: true
    
    Description: When this property is set to true, JavaScript
    will be used when the TAI redirects to the OP's authentication
    endpoint.
    
    When this property is set to false, JavaScript will not be
    used.  Also, if the original URL contains a fragment, upon
    final redirection to the application, the URL will no longer
    contain the fragment.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4.  For more information, see
    'Recommended Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH23572

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-03-23

  • Closed date

    2020-05-19

  • Last modified date

    2020-05-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
16 September 2021