IBM Support

PH35481: OIDC APIS MAY NOT FIND IDTOKEN TOKEN ON RUNAS SUBJECT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When an application is using the OIDC
    com.ibm.ws.security.oidc.util.OidcHelper API, the methods
    may not find the idToken token on the runAs subject.  The
    following error may be returned from the APIs:
    
    Error getting OIDC hashtable from private creds.
    

Local fix

  • Change your OIDC TAI config to 'idtoken token'
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server            *
    *                  developers using OIDC APIs                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: When using the OidcHelper APIs, the     *
    *                      methods may not find the idToken token  *
    *                      on the runAs subject.                   *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix for this  *
    *                  APAR.                                       *
    ****************************************************************
    When an application is using API methods in the
    com.ibm.ws.security.oidc.util.OidcHelper package, even though
    OIDC login was successful, the following error may be returned
    from the method:
    Error getting OIDC hashtable from private creds.
    The following message can be observed in an OIDC trace:
    Could not find OIDC hashtable on private creds.
    

Problem conclusion

  • The method that finds the HashTable that contains the OIDC
    objects on the private creds is identifying the table by
    checking for the key for an access token.  If the response
    from the OP does not contain an access token, the key is not
    in the table, the table is not be identified as the OIDC
    table, and therefore the idToken is not extracted from the
    table.
    
    The method that retrieves the OIDC HashTable is modified to
    key off an entry that must exist in the table.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.21 and 9.0.5.9. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH35481

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-18

  • Closed date

    2021-08-31

  • Last modified date

    2021-08-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
01 September 2021