Fixes are available
APAR status
Closed as program error.
Error description
When using OpenID Connect (OIDC) in a cluster environment, when nonce is enabled, the login may fail with the following error: [7/6/20 13:49:58:958 CEST] 00000159 SessionData 3 The OIDC RP encountered an error when valdating the nonce claim [A nonce claim is in the idToken, but a nonce was not sent in the original authentication request to the OP.] [7/6/20 13:49:58:958 CEST] 00000159 RelyingParty E CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [com.ibm.ws.security.oidc.client.RelyingPartyException: The OIDC RP encountered an error when valdating the nonce claim [A nonce claim is in the idToken, but a nonce was not sent in the original authentication request to the OP.]]. Check the logs for details that lead to this exception.
Local fix
use session affinity
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: OIDC login may fail when nonceEnabled * * is * * set to true. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When the OpenID Connect (OIDC) Relying Party (RP) performs a login with nonce enabled, the login will fail with the following error: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [com.ibm.ws.security.oidc.client.RelyingPartyException: The OIDC RP encountered an error when valdating the nonce claim [A nonce claim is in the idToken, but a nonce was not sent in the original authentication request to the OP.]]. Check the logs for details that lead to this exception.
Problem conclusion
When the OIDC TAI property provider_(id).nonceEnabled is configured for a provider, the TAI sends a nonce value to the OP and the OP sends the value back. That return value must be compared against the original value that was sent. If the TAI does not send a nonce value, one must not be returned from the OP. The nonce value for the outbound request is stored in a local state cache and in a cookie. When the OP responds from the logi request, the TAI first attempts to retrieve the state data from the local cache. If it cannot find the state data in the local cache, it will obtain it from the cookie. If the state data must be obtained from the cookie, the outbound nonce value will not be found and the login will fail. The OIDC TAI is updated so that the outbound nonce value is stored properly in the OIDC state cookie. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH27173
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-07-07
Closed date
2020-08-18
Last modified date
2020-08-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021