IBM Support

PH27173: OIDC RP LOGIN MAY FAIL WHEN NONCE IS ENABLED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using OpenID Connect (OIDC) in a cluster environment,
    when nonce is enabled, the login may fail with the following
    error:
    
    [7/6/20 13:49:58:958 CEST]
    00000159 SessionData 3 The OIDC RP encountered an error when
    valdating the nonce claim [A nonce claim is in the idToken, but
    a nonce was not sent in the original authentication request to
    the OP.]
    
    [7/6/20 13:49:58:958 CEST] 00000159 RelyingParty E
    CWTAI2007E: The OpenID Connect relying party (RP) encountered a
    failure during the login. The exception is
    [com.ibm.ws.security.oidc.client.RelyingPartyException: The
    OIDC RP encountered an error when valdating the nonce claim [A
    nonce claim is in the idToken, but a nonce was not sent in the
    original authentication request to the OP.]]. Check the logs
    for details that lead to this exception.
    

Local fix

  • use session affinity
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC login may fail when nonceEnabled   *
    *                      is                                      *
    *                      set to true.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When the OpenID Connect (OIDC) Relying Party (RP) performs a
    login with nonce enabled, the login will fail with the following
    error:
    CWTAI2007E: The OpenID Connect relying party (RP) encountered a
    failure during the login. The exception is
    [com.ibm.ws.security.oidc.client.RelyingPartyException: The
    OIDC RP encountered an error when valdating the nonce claim [A
    nonce claim is in the idToken, but a nonce was not sent in the
    original authentication request to the OP.]]. Check the logs
    for details that lead to this exception.
    

Problem conclusion

  • When the OIDC TAI property provider_(id).nonceEnabled is
    configured for a provider, the TAI sends a nonce value to the OP
    and the OP sends the value back.  That return value must be
    compared against the original value that was sent.  If the TAI
    does not send a nonce value, one must not be returned from the
    OP.
    
    The nonce value for the outbound request is stored in a local
    state cache and in a cookie.  When the OP responds from the logi
    request, the TAI first attempts to retrieve the state data from
    the local cache.  If it cannot find the state data in the local
    cache, it will obtain it from the cookie.
    
    If the state data must be obtained from the cookie, the outbound
    nonce value will not be found and the login will fail.
    
    The OIDC TAI is updated so that the outbound nonce value is
    stored properly in the OIDC state cookie.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.5. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH27173

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-07

  • Closed date

    2020-08-18

  • Last modified date

    2020-08-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021