IBM Support

PH25547: OIDC INCORRECT BEHAVIOR IF OPAQUE TOKEN IS IN AUTHORIZATION HEADER AND USEJWTFROMREQUEST=IFPRESENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When the OpenID Connect TAI is configured with
    useJwtFromRequest=ifPresent, and an opaque token is sent in
    the Authorization header of an HTTP request, the user will
    always be redirected to the OpenID provider for interactive
    login.
    
    If an introspection endpoint is configured, the OIDC RP should
    attempt to validate the opaque token via the introspection
    endpoint.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OpenID Connect                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC TAI is not sending token to OP     *
    *                      for introspection when configured       *
    *                      with useJwtFromRequest=ifPresent.       *
    ****************************************************************
    * RECOMMENDATION:  Insteall a fix pack or interim fix that     *
    *                  contains this APAR.                         *
    ****************************************************************
    The provider_<id>.useJwtFromRequest OpenID Connect (OIDC) Trust
    Association Interceptor (TAI) custom property is defined as:
    "This property controls processing if a JWT is found in the
    request authorization header."
    One of the supported values for the useJwtFromRequest property
    is
    ifPresent.  The ifPresent value is described as:
    "Use a JWT if one is present.  If a JWT is missing or invalid,
    fall back to using the OpenID Connect provider for
    authentication, if one is configured."
    However, when the TAI is configured for introspection and a
    request is processed by the TAI that contains a token on the
    Authorization header that is not a JWT, instead of sending the
    token to the OpenID provider's introspection endpoint, the TAI
    will redirect the request to the OpenID provider's interactive
    login page.
    

Problem conclusion

  • The OIDC TAI is updated so that, when an introspection
    endpoint is configured, it will *not* attempt introspection
    for a token from the Authorization header in the following
    cases:
    
    1. useJwtFromRequest=required
    2. useJwtFromRequest=ifPresent and the token on the
    Authorization header is a JWT
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.5. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH25547

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-05-19

  • Closed date

    2020-06-30

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
27 August 2021