Fixes are available
APAR status
Closed as new function.
Error description
In the OIDC TAI, if a well-known discoverEndpoint URL is configured for a provider in the OIDC TAI configuration, the userinfo endpoint will always be called. This is happening as well-known discovery returns the userInfo endpoint which is not null. For some customers, this call to the userInfo endpoint is not necessary. For instance, they may derive the user details from their user registry. Due to this, there are two observations & impacts: 1. Unnecessary call to the OP (userInfo) to fetch the details which adds some short delay. 2. An invalid call sometimes, depending on the user's definition. The administrator should be able to disable the userinfo when it is obtained from the discoveryEndpointUrl.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: Allow an administrator to not invoke * * the userinfo endpoint during OIDC * * login. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** In the OpenID Connect (OIDC) Trust Association Interceptor (TAI), when a provider configuration is populated using the provider_(id).discoveryEndpointUrl, the userinfo endpoint is obtained from the discovery information that the OpenID provider (OP) returns. This configures the provider_(id).userinfoEndpointUrl OIDC TAI property for the provider. When the provider_(id).userinfoEndpointUrl OIDC TAI property is configured for a provider, the userinfo endpoint will be invoked each time an access token is obtained from the OP. If the system administrator does not want to go to the expense of the extra call to the userinfo endpoint, they have no way to override the behavior.
Problem conclusion
The OIDC TAI is updated so that the administrator can disable th call to the userinfo endpoint during login when it is configured This new property will affect userinfo endpoints that are configured using the provider_(id).userinfoEndpointUrl or obtained with discovery. The following property is added: provider_(id).userinfoEndpointEnabled Values: true/false, default=true Description: Set this property to false if you want to ignore the setting for the provider_(id).userinfoEndpointUrl property during login. This applies if the endpoint was obtained either from a OpenId Connect property or discovery. If a userinfo endpoint is configured and the provider_<id>.userinfoEndpointEnabled propert is set to false, you can still use the OidcClientHelper.getUserInfoFromServer() method to obtain the userinfo from the server in an application. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH26523
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-06-17
Closed date
2020-08-18
Last modified date
2020-09-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021