APAR status
Closed as program error.
Error description
Update the OpenID Connect (OIDC) Trust Association Interceptor (TAI) so that it can intercept requests based on the issuer in the JSON Web Token (JWT) in the Authorization header of the HTTP request for JWT authentication.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: Update the OIDC TAI to allow requests * * to * * be intercepted based on the issuer in * * the * * JWT in the Authorization header. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OIDC TAI has the provider_(id).filter, provider_(id).interceptedPathFilter, and provider_(id).excludedPathFilter properties that allow it to intercept requests based on attributes of the HTTP request. It can be difficult to craft a filter set using just these properties to intercept HTTP requests in the way that you want. If you want to simply accept all requests from a specific issuer, https://ibm.com for example, there is no way to accomplish that with the current filter mechanism.
Problem conclusion
The OIDC TAI is updated to allow an administrator to configure the TAI so that it will intercept requests based on the iss claim in the JWT in the Authorization header of the HTTP request. A new OIDC TAI property is added: Name: provider_(id).allowJwtIssuerSelection Values: true/false , default=false Description: Set this property to true if want to allow the runtime to filter requests based the iss claim in the JWT in the Authorization header of the HTTP request. The filter will match if the iss claim in the JWT matches this provider's issuer. If there is more than one provider entry with the same issuer name, only one of the provider entries can have this property set to true, otherwise this property is set to false for all matching issuers. When this property is set to true, it will override the value of the provider_(id).useIssuer property and set it to true. When the provider_(id).useJwtFromRequest property is set to no, this property has no effect. This filter is applied after the provider_(id).filter and provider_(id).interceptedPathFilter filters. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.22 and 9.0.5.12. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH44467
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-02-26
Closed date
2022-04-15
Last modified date
2022-04-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
Document Information
Modified date:
16 April 2022