IBM Support

PH27213: OIDC TAI: GIVE OPTION TO NOT WRITE LTPA COOKIE IN RP PATH

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • When using the OpenID Connect (OIDC) relying party, after
    successful login completion, an administrator may not want an
    LTPA cookie written to the browser.
    
    You can control this behavior when performing JWT
    Authentication, but you cannot when the OIDC trust association
    interceptor (TAI) is acting as a traditional OpenID Connect
    relying party.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: Give option to not write an LTPA cookie *
    *                      in the OIDC RP.                         *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    When using the OIDC TAI, an administrator has the option to not
    write an LTPA cookie if they are performing JWT authentication.
    If they are using the OIDC relying party (RP) function of the
    OIDC
    TAI, there is no option to not write an LTPA cookie.
    

Problem conclusion

  • The OIDC TAI property provider_(id).setLtpaCookie is updated so
    that it applies to both the OIDC relying party and JWT
    authentication:
    
    provider_<id>.setLtpaCookie
    
    Defaults:
    When when useJwtFromRequest is set to either required or
    ifPresent, the default is true. Otherwise, the default is false.
    
    Description:
    When this property is set to true, the runtime will set an LTPA
    Cookie on the response after successful authentication with the
    inbound JWT is complete.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.5. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH27213

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-09

  • Closed date

    2020-08-19

  • Last modified date

    2020-08-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021