APAR status
Closed as program error.
Error description
When an application is protected by the OpenID Connect Relyint Party, an error like the following may occur upon initial login: SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Cookie name "OIDCSTATE_BxEIAQzE+axNDRKbJvxvBGIcN8YrylsxeE4bFpeAfeA=_16272857 85897" is a reserved token]. Check the logs for details that lead to this exception. at com.ibm.ws.security.oidc.client.RelyingParty.initiateLogin(Rely ingParty.java:592) at com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidatean dEstablishTrust(RelyingParty.java:366) at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablish edTrust(TAIWrapper.java:103) at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation( WebAuthenticator.java:439) ... -or- CWTAI2030I: The OpenID Connect TAI was unable to retrieve the request data with stateId [ThgkXKF1H4QGyBuHYGyn65ffJCoZUnawsBRTR861RsU%3D_1636053405653] from the state map. It may have expired. -or- CWTAI2019E: The state id [sS2cjek8eI1Ep9H+ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] in the OpenID Connect relying party (RP) state cookie [OIDCSTATE_rp1] does not match the state id [sS2cjek8eI1Ep9H ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] received from the OpenID Connect provider.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server and the OIDC RP * **************************************************************** * PROBLEM DESCRIPTION: OIDC initial login may fail when the * * OIDC * * stateId contains special characters * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** When an application is protected by the OpenID Connect Relyint Party, an error like the following may occur upon initial login: SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Cookie name "OIDCSTATE_BxEIAQzE+axNDRKbJvxvBGIcN8YrylsxeE4bFpeAfeA=_16272857 85897" is a reserved token]. Check the logs for details that lead to this exception. This error only occurs when the provider_(id).useJavaScript OIDC TAI property is set to false. You may also observe an error like one of the following regardless of the useJavaScript setting: CWTAI2030I: The OpenID Connect TAI was unable to retrieve the request data with stateId [ThgkXKF1H4QGyBuHYGyn65ffJCoZUnawsBRTR861RsU%3D_1636053405653] from the state map. It may have expired. CWTAI2019E: The state id [sS2cjek8eI1Ep9H+ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] in the OpenID Connect relying party (RP) state cookie [OIDCSTATE_rp1] does not match the state id [sS2cjek8eI1Ep9H ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] received from the OpenID Connect provider.
Problem conclusion
The OIDC RP is creating stateIds that contains special character that may be token separators as defined by https://datatracker.ietf.org/doc/html/rfc2616#section-2.2 The stateId is used as part of the extension of the OIDCSTATE_* cookie name that is written to the browser. The OIDC RP is updated to ensure that stateIds do not contain special characters that include token separators. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.11. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH39666
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-08-06
Closed date
2021-11-08
Last modified date
2021-11-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
Document Information
Modified date:
12 November 2021