Fixes are available
APAR status
Closed as new function.
Error description
Application developers that use OIDC frequently use Azure as the OP. Azure uses the end session endpoint to facilitate logout instead of using the revoke endpoint. The end session endpoint is invoked by the app, then Azure calls a logout endpoint that is provided by the app, which then calls HTTPServletRequest.logout(). This ends up calling the OIDC logout. When doing this process, the application needs to know the end session endpoint. The end session endpoint is exposed in the end_session_endpoint claim in the discovery output. When OIDC is configured to use discovery, it makes sense for the app to be able to query the TAI for the end session endpoint instead of hardcoding it in their app.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP should make the end session * * endpoint that it gets from discovery * * available to applications. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect (OIDC) Relying Party (RP) should expose the end session endpoint to applications.
Problem conclusion
The following methods are added to the com.ibm.websphere.security.oidc.util.OidcClientHelper API: getEndSessionEndpoint() throws Exception getEndSessionEndpoint(javax.security.auth.Subject) throws Exception =============== getEndSessionEndpoint() throws Exception Retrieve the end session endpoint associated with the access token on the current runAs Subject. A null value will be returned in the following instances: * Administrative security is not enabled. * Trust Association is not enabled. * The OIDC RP TAI is not configured and successfully initialized. * There is no access token on the runAs Subject. * There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject. * There is end session endpoint in the configuration used to create the associated SessionData. The end session endpoint may be hardcoded in the OIDC TAI configuration or obtained via discovery. @return The end session endpoint associated with the access toke on the runAs Subject @throws Exception if an error occurs either while obtaining the runAs Subject or accessing the private credentials. =============== getEndSessionEndpoint(javax.security.auth.Subject) throws Exception Retrieve the end session endpoint associated with the access token on the from the input Subject. A null value will be returned in the following instances: * Administrative security is not enabled. * Trust Association is not enabled. * The OIDC RP TAI is not configured and successfully initialized. * There is no access token on the input Subject. * There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject. * There is end session endpoint in the configuration used to create the associated SessionData. The end session endpoint may be hardcoded in the OIDC TAI configuration or obtained via discovery. @return The end session endpoint associated with the access token on the input Subject @throws Exception if an error occurs either while obtaining the accessing the private credentials from the input Subject. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.19 and 9.0.5.6. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH27971
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-07-30
Closed date
2020-08-18
Last modified date
2020-08-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021