IBM Support

PH26523: OIDC RP ALLOW CALL TO USERINFO ENDPOINT TO BE DISABLED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • In the OIDC TAI, if a well-known discoverEndpoint URL is
    configured for a provider in the OIDC TAI configuration, the
    userinfo endpoint will always be called.  This is happening as
    well-known discovery returns the userInfo endpoint which is
    not null.
    
    For some customers, this call to the userInfo endpoint is not
    necessary.  For instance, they may derive the user details from
    their user registry.
    
    Due to this, there are two observations & impacts:
    1. Unnecessary call to the OP (userInfo) to fetch the details
    which adds some short delay.
    2. An invalid call sometimes, depending on the user's
    definition.
    
    The administrator should be able to disable the userinfo when
    it is obtained from the discoveryEndpointUrl.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: Allow an administrator to not invoke    *
    *                      the userinfo endpoint during OIDC       *
    *                      login.                                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    In the OpenID Connect (OIDC) Trust Association Interceptor
    (TAI),
    when a provider configuration is populated using the
    provider_(id).discoveryEndpointUrl, the userinfo endpoint is
    obtained from the discovery information that the OpenID provider
    (OP) returns.  This configures the
    provider_(id).userinfoEndpointUrl OIDC TAI property for the
    provider.  When the provider_(id).userinfoEndpointUrl OIDC TAI
    property is configured for a provider, the userinfo endpoint
    will
    be invoked each time an access
    token is obtained from the OP.
    If the system administrator does not want to go to the expense
    of
    the extra call to the userinfo endpoint, they have no way to
    override the behavior.
    

Problem conclusion

  • The OIDC TAI is updated so that the administrator can disable th
    call to the userinfo endpoint during login when it is configured
    This new property will affect userinfo endpoints that are
    configured using the provider_(id).userinfoEndpointUrl or
    obtained with discovery.
    
    The following property is added:
    
    provider_(id).userinfoEndpointEnabled
    
    Values:
    true/false, default=true
    
    Description:
    Set this property to false if you want to ignore the setting for
    the provider_(id).userinfoEndpointUrl property during login.
    This applies if the endpoint was obtained either from a OpenId
    Connect property or discovery.  If a userinfo endpoint is
    configured and the provider_<id>.userinfoEndpointEnabled propert
    is set to false, you can still use the
    OidcClientHelper.getUserInfoFromServer() method to obtain the
    userinfo from the server in an application.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.5.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH26523

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-06-17

  • Closed date

    2020-08-18

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021