Fixes are available
APAR status
Closed as program error.
Error description
With OpenID Connect (OIDC), application programmers may want to have access to the introspection response from the OP, but the OIDC TAI in WebSphere does not make this information available.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI does not expose the * * introspection response from the * * OpenID provider. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** Application programmers may need access to the introspection response from the OpenID provider. The OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) does not expose this information.
Problem conclusion
The OIDC RP TAI is updated so that when the OpenID Connect session data is created via introspection, the introspection response is stored and made available to application programmers on the com.ibm.websphere.security.oidc.util.OidcClientHelper API. The following methods are added to the com.ibm.websphere.security.oidc.util.OidcClientHelper API: /** * Retrieve the introspection response String from the input * Subject. * * This method will return null if the OIDC session data * associated with this subject was not created via * introspection. * * @return The introspection response String or null if * there is no access token on the Subject * @throws Exception if an error occurs either while * obtaining the runAs Subject or accessing the private * credentials. */ public static String getIntrospectionResponseFromSubject(Subject subj) throws Exception {} /** * Retrieve the introspection response String from the * current runAs Subject. * * This method will return null if the OIDC session data * associated with this subject was not created via * introspection. * * @return The introspection response String or null if * there is no access token on the Subject * @throws Exception if an error occurs either while * obtaining the runAs Subject or accessing the private * credentials. */ public static String getIntrospectionResponseFromSubject() throws Exception {} The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH24737
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-04-23
Closed date
2020-06-30
Last modified date
2020-06-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021