Fixes are available
APAR status
Closed as program error.
Error description
When the OpenID Connect (OIDC) Trust Association Interceptor (TAI) is configured using a provider_(id).interceptedPathFilter, the callback from the OpenID provider (OP) is processed automatically and does not have to be included in the filter. If the TAI is configured using a provider_(id).filter, the filter must include something to allow the TAI to intercept the callback. For instance: provider_(id)=request-url^=client1|snoop To reduce configuration problems, the behavior between the two filters should be consistent.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI provider_(id).filter * * property does not automatically * * intercept * * the callback from the OP. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When the OIDC TAI is configured to intercept requests using the provider_(id).filter property, the filter must be constructed in a way so that it will intercept the callback from the OP. This should not be necessary. For instance, the following configuration will intercept a request that contains login_app and redirect the user to the OP for login: provider_1.identifier=client1 provider_1.filter=request-url^=login_app However, when the OP responds back to the RPs callback URI (/oidcclient/client1), the request will not be intercepted and the login sequence will fail. The administrator must know to add conditions to the filter that allow the TAI to intercept the callback from the OP. For instance: provider_(id).filter=request-url^=client1|login_app
Problem conclusion
The OIDC TAI is updated so that, when the configuration for a provider uses the provider_(id).filter property to intercept requests, the callback from the OP will be automatically intercepted. For instance, the following provider config will intercept both requests that contain login_app and requests to (TAI_CONTEXT_ROOT)/client1: provider_1.identifier=client1 provider_1.filter=request-url^=login_app The fix for this APAR is targeted for inclusion in fix packs 8.5.5.19 and 9.0.5.6. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH28253
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-08-06
Closed date
2020-08-19
Last modified date
2020-08-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021