IBM Support

PH27827: OIDC RP SUPPORT UNIQUE CLIENTID AND CLIENTSECRET FOR INTROSPECTION ENDPOINT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In the OIDC Relying Party TAI, administrators may need
    different clientId and clientSecret for the introspection
    endpoint than they do for the authorization endpoint.  The TAI
    only supports one set of values.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: Allow an administrator to configure     *
    *                      unique clientId and clientSecret        *
    *                      values                                  *
    *                      for the OP's introspect endpoint in     *
    *                      the                                     *
    *                      OIDC TAI.                               *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    In the OpenID Connect (OIDC) Relying Party (RP), the value for
    the
    clientId and clientSecret that is sent to the OpenID provider's
    (OP) introspection endpoint is the same as that for the
    authentication endpoint.  If the administrator needs to send
    different values for clientId and clientSecret for each
    endpoint,
    they cannot do that.
    

Problem conclusion

  • The following properties are added to the OIDC TAI:
    
    provider_<id>. introspectClientId
    Values:
    The default value is the value for provider_(id).clientId.
    Description:
    Specifies the clientId to include in the requests to the OpenId
    Provider's introspection endpoint.
    
    provider_<id>.introspectClientSecret
    Values:
    The default value is the value for provider_(id).clientSecret
    Description:
    Specifies the clientSecret to include in the requests to the
    OpenId Provider's introspection endpoint.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.19 and 9.0.5.6. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH27827

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-24

  • Closed date

    2020-08-18

  • Last modified date

    2020-09-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
27 August 2021