Fixes are available
APAR status
Closed as new function.
Error description
When using the OpenID Connect (OIDC) relying party, after successful login completion, an administrator might not want an LTPA cookie written to the browser. You can control this behavior when performing JWT Authentication, but you cannot when the OIDC trust association interceptor (TAI) is acting as a traditional OpenID Connect relying party.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: Give option to not write an LTPA * * cookie * * in the OIDC RP. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When using the OIDC TAI, an administrator has the option to not write an LTPA cookie if they are performing JWT authentication. If they are using the OIDC relying party (RP) function of the OIDC TAI, there is no option to not write an LTPA cookie.
Problem conclusion
The OIDC TAI property provider_(id).setLtpaCookie is updated so that it applies to both the OIDC relying party and JWT authentication: provider_<id>.setLtpaCookie Defaults: When when useJwtFromRequest is set to required, the default is true. Otherwise, the default is false. Description: When this property is set to true, the runtime will set an LTPA Cookie on the response after successful authentication with the inbound JWT is complete. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH27213
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-07-09
Closed date
2020-08-19
Last modified date
2023-07-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
21 July 2023