IBM Support

PH26925: OIDC RP GENERATES JAVASCRIPT WITH EXTRA 'END-SCRIPT' TO SEND TO OP

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect (OIDC) Relying Party sends an invalid html
    head, which may result in a 401 response from the OP.
    
    There is an extra </script> in the header.  For
    example:
    <html><head><script type="text/javascript"
    language="javascript">var loc=window.location.href;document.cook
    ie="OIDCREQURL_-123123123_4563123609549="+loc+"; expires=Wed,
    24 Jun 2020 20:40:09 UTC; path=/;
    secure"</script></script>...
    

Local fix

  • Disable the url cookie (useUrlCookies=false) or javascript.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: There is an extra </script> in the      *
    *                      JavaScript that is created by the OIDC  *
    *                      during RP login.                        *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When the OpenID Connect (OIDC) Trust Association Interceptor
    (TAI)
    sends an interactive login request to an OpenID provider, a
    JavaScript is created to send the login request to the server.
    This script contains an extra </script>.
    

Problem conclusion

  • The OIDC TAI is updated so that only one </script> is included i
    the JavaScript that it sends to the OP.
    
    A workaround for this issue is to set
    provider_(id).useJavaScript=false in the OIDC TAI configuration
    for the provider.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.19 and 9.0.5.5.  For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH26925

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-06-29

  • Closed date

    2020-08-18

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
27 August 2021