IBM Support

PH28386: OIDC RP: GIVE THE OPTION TO VALIDATE A JWT ACCESS TOKEN

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Ordinarily, OpenID providers (OPs) return access tokens that
    are opaque and the Relying Party (RP) does nothing to verify
    them.  Some OPs can return access tokens that are JWTs.  If
    the access token returned by an OP is a JWT,
    the OpenID Connect (OIDC) RP Trust Association Interceptor
    (TAI) does not validate it.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: If the access token that is returned    *
    *                      from                                    *
    *                      the OP is a JWT, the OIDC TAI does not  *
    *                      validate it.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    If an OP returns an access token that is a JWT, the OpenID
    Connect
    (OIDC) Trust Association Interceptor (TAI) does not validate it.
    An administrator may want to ensure that the JWT is valid.
    

Problem conclusion

  • The following property is added to the OIDC TAI to allow the
    relying party to validate an access token that is a JWT:
    
    provider_(id).accessTokenIsJwt
    Values:
    true/false, default=false
    Description:
    Set this property to true if the access token that is returned
    from the OP is a JWT and you want the RP to validate the JWT.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.19 and 9.0.5.6. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH28386

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-08-13

  • Closed date

    2020-08-19

  • Last modified date

    2020-08-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
27 August 2021