A fix is available
APAR status
Closed as program error.
Error description
When an application is using the OIDC com.ibm.ws.security.oidc.util.OidcHelper API, the methods may not find the idToken token on the runAs subject. The following error may be returned from the APIs: Error getting OIDC hashtable from private creds.
Local fix
Change your OIDC TAI config to 'idtoken token'
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server * * developers using OIDC APIs * **************************************************************** * PROBLEM DESCRIPTION: When using the OidcHelper APIs, the * * methods may not find the idToken token * * on the runAs subject. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix for this * * APAR. * **************************************************************** When an application is using API methods in the com.ibm.ws.security.oidc.util.OidcHelper package, even though OIDC login was successful, the following error may be returned from the method: Error getting OIDC hashtable from private creds. The following message can be observed in an OIDC trace: Could not find OIDC hashtable on private creds.
Problem conclusion
The method that finds the HashTable that contains the OIDC objects on the private creds is identifying the table by checking for the key for an access token. If the response from the OP does not contain an access token, the key is not in the table, the table is not be identified as the OIDC table, and therefore the idToken is not extracted from the table. The method that retrieves the OIDC HashTable is modified to key off an entry that must exist in the table. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.9. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH35481
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-18
Closed date
2021-08-31
Last modified date
2021-08-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021