IBM Support

PH34227: OIDC RP: SUPPORT THE BASIC_START_AUTHORIZATION SCOPE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

  • When the OpenID Connect (OIDC) basic_start_authorization scope
    is set, check that the basic_start_authorization claim is set
    to true in idToken the initial token response. If it is not,
    the authentication request should fail.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect.                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: Support the basic_start_authorization   *
    *                      scope in the OpenID Connect relying     *
    *                      party.                                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When the OIDC RP scope parameter includes
    basic_start_authorization, the RP should check that the idToken
    in
    the initial token response includes the
    basic_start_authorization
    claim and it is set to true.
    If it does not, the authentication request should fail.
    

Problem conclusion

  • The OIDC RP is updated so that an authentication request will
    fail under the following condition:
    
    * The scope parameter includes the string
    basic_start_authorization
    -and-
    * The idToken in the initial token response does not include a
    basic_start_authorization claim that is set to true.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH34227

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-02-05

  • Closed date

    2021-04-15

  • Last modified date

    2021-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
16 April 2021