A fix is available
APAR status
Closed as program error.
Error description
When using the OpenID Connect TAI, if the provider_(id).responseType parameter is set to anything other than 'code' (the default value), the login might fail with the following error: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [com.ibm.ws.security.oidc.client.RelyingPartyException: The OIDC RP encountered an error when valdating the nonce claim [A nonce claim is required in the idToken, but one is not present.]]. Check the logs for details that lead to this exception. at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallbac k(RelyingParty.java:719) at com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidatean dEstablishTrust(RelyingParty.java:325) at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablish edTrust(TAIWrapper.java:103) at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation( WebAuthenticator.java:438) at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthent icator.java:3103) When OIDC traces are inspected, you may find that the nonce is returned from the server and see this error in the trace: [4.3.2021 10:02:29:078 CET] 0000010e JSONUtil 3 hasClaim(obj,claimName) returns [true] [4.3.2021 10:02:29:078 CET] 0000010e JSONUtil 3 An error occurred when attempting to retrieve the [id_token] claim [com.google.gson.JsonArray incompatible with com.google.gson.JsonPrimitive] [4.3.2021 10:02:29:078 CET] 0000010e JSONUtil 3 The claim is optional; ignoring exception [An error occurred when attempting to retrieve the [id_token] claim [com.google.gson.JsonArray incompatible with com.google.gson.JsonPrimitive]].
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: OIDC login may fail with Implicit grant * * flow saying that nonce is not present * * when it is. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains * * this APAR. * **************************************************************** If the OIDC TAI is configured to perform a login using the Implicit grant flow (provider_(id).responseType=id_token or token+id_token), the login may fail with the following error: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [com.ibm.ws.security.oidc.client.RelyingPartyException: The OIDC RP encountered an error when valdating the nonce claim [A nonce claim is required in the idToken, but one is not present.]].
Problem conclusion
If the OIDC TAI is configured to perform a login using the Implicit grant flow (provider_(id).responseType=id_token or token+id_token), when TAI the receives the response from the OP, it is converted into a JSON string so that it can be processed b the rest of the runtime as if it had come from the code flow. There is an error in the method that creates the JSON string whe there is an element with only one entry. The OIDC TAI is updated so that it properly constructs the JSON string. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH35185
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-10
Closed date
2021-04-07
Last modified date
2021-04-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021