IBM Support

PH30911: OIDC RP: ALLOW A RESOURCE PARAMETER TO BE SENT TO THE TOKEN AND AUTHORIZE ENDPOINTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • The OpenId Connect (OIDC) Trust Association Interceptor (TAI)
    does not allow the administrator to configure a resource
    parameter to send to the OpenId Provider's (OP's) token
    and authorize endpoints.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and the OIDC TAI                            *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI does not allow the         *
    *                      administrator to configure a resource   *
    *                      parameter to send to the OP's token     *
    *                      and authorize endpoints.                *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains                                    *
    *                  this APAR.                                  *
    ****************************************************************
    The OIDC TAI does not allow the administrator to configure a
    resource parameter to send to the OP's token and authorize
    endpoints.
    This may be required if a WebSphere administrator is using an
    OIDC Provider infra-structure that implements resource
    parameters according to OAuth 2.0 specification:
    https://www.iana.org/assignments/oauth-parameters/oauth-
    parameters.xhtml# óÔé¼ Æparameters
    RFC 8707 - 2. Resource Parameter
    https://tools.ietf.org/html/rfc8707
    

Problem conclusion

  • The OIDC TAI is updated so that it can send a resource
    parameter to the OP's token endpoint.
    
    The following property is added:
    provider_(id).resource
    Resource parameter to included in the authentication and token
    requests to the OP.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.7. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH30911

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-10-26

  • Closed date

    2020-12-07

  • Last modified date

    2020-12-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]

Document Information

Modified date:
08 December 2020