APAR status
Closed as program error.
Error description
With the OpenID Connect (OIDC) Trust Association Interceptor (TAI), you currently must to hardcode the signature algorithm that is used to validate the ID token for the OIDC relying party (RP) or the JWT for JWT Authentication. This causes usability problems with users, especially with the RP, which is defaulting to the less-used HS256 algorithm. The signature algorithm used to sign the token is in the object header. The OIDC TAI should be able to use this signature algorithm for verification.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and the OIDC TAI. * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI requires that you hardcode * * the signature algorithm that is used to * * verify tokens. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes this APAR. * **************************************************************** The OIDC requires that you hardcode the provider_(id).signatureAlgorithm property. This causes usability problems with users, especially with the RP, which is defaulting to the less-used HS256 algorithm. This scheme also requires code update each time a new signature algorithm is required.
Problem conclusion
The OIDC TAI is updated to dynamically choose the signature algorithm that is used to verify the ID token and JWT signature based on the header in the token. This is controlled by setting signatureAlgorithm to HEADER. The default setting for the provider_(id).signatureAlgorithm property is updated to be HEADER. As part of this APAR, an allow list and deny list are be added to give the administrator the option of using the algorithm in the header, but disallowing a set of algorithms, or only allowing a specific set of algorithms. Because HS256 is not secure, in most cases, HS256 is added to the deny list by default. =================== Updated properties: ============================== provider_(id).signatureAlgorithm Values: none HS256 RS256 RS512 HEADER (default) Description: Specifies the algorithm that is used to secure messages from the OpenID Connect provider. When this property is set to HEADER, the value is obtained from the header of each inbound token. ============================== provider_<id>.discoveryEndpointUrl The signatureAlgorithm property is no longer in the list of properties obtained from the discovery result. =============== New properties: ============================== provider_(id).signatureAllowList Values: You can specify a comma-separated list of signature algorithms. This property does not have a default value. Description: Specifies a comma separated list of signature algorithms that are allowed to secure messages from the OpenID Connect provider. If the provider_(id).signatureAlgorithm property is set to a value other than HEADER, this property is ignored. A value cannot be provided for both this property and the provider_(id).signatureDenyList property. This list can include any value that is supported by the jose4j open source project except HS256. Besides ensuring that the HS256 signature algorithm is not in the list, the values for this property are not validated by the OIDC TAI. ============================== provider_(id).signatureDenyList Values: You can specify a comma-separated list of signature algorithms. See the description for the default value. Description: Specifies a comma separated list of signature algorithms that are not allowed to secure messages from the OpenID Connect provider. If the provider_(id).signatureAlgorithm property is set to a value other than HEADER, this property is ignored. A value cannot be provided for both this property and the provider_(id).signatureAllowList property. This list can include any value that is supported by the jose4j open source project and the values are not validated by the OIDC TAI. The HS256 algorithm is not secure and we want to disallow it by default. However, since the default for the OIDC RP was originally HS256, but it is now HEADER, this property cannot be defaulted to HS256 absolutely. If the configured list does not include HS256, HS256 is added to the list if any of the following conditions are true: * The provider_(id).useJwtFromRequest property is set to required. * The provider_(id).signatureAlgorithm property is set to HEADER. * Discovery is in use and HS256 is the only value for the id_token_signing_alg_values_supported claim in the OP's discovery result. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.13. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH47272
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-06-16
Closed date
2022-06-28
Last modified date
2023-01-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
25 January 2023