A fix is available
APAR status
Closed as program error.
Error description
The OpenID Connect (OIDC) relying party (RP) trust association interceptor (TAI) is unable to logout from an OIDC provider (OP) with an RP-Initiated logout.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM WebSphere Application Server * * and OIDC * **************************************************************** * PROBLEM DESCRIPTION: The OIDC RP cannot perform an RP- * * Initiated logout. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** The OpenID Connect (OIDC) relying party (RP) trust association interceptor (TAI) is unable to logout from an OIDC provider (OP) with an RP-Initiated logout.
Problem conclusion
The OIDC RP is updated so that it can perform an RP-Initiated logout. If configured to do so, an RP-Initiated logout is performed when HttpServeletRequest.logout() or ibm_security_logout (form logout) is invoked. Note: Ifixes that contain this APAR can only perform RP- Initiated logout when HttpServeletRequest.logout() is invoked. APAR PH48145 is required for the OIDC TAI to logout when ibm_security_logout is invoked. A fix for PH48145 is not included in OIDC TAI Ifixes, therefore RP-Initiated logout can only be performed upon form logout on fix packs 8.5.5.23 and 9.0.5.14 and later. The following OIDC TAI property is updated: ======================== provider_(id).endSessionEndpoint Description: Set this property to the value of the end session endpoint for the Open ID provider. When this property is set to a value and the provider_(id).endSessionEndpointEnabled property is set to true, the TAI redirects logout requests to the configured end session endpoint. An id_token_hint parameter is added to the end session request. If the provider_(id).discoveryEndpointUrl property is specified, the value for this property is overridden. The value for this property can be retrieved with the OidcClientHelper.getEndSessionEndpoint() method. The following OIDC TAI properties are added: provider_(id).endSessionRedirectUrl provider_(id).endSessionEndpointEnabled ======================== provider_(id).endSessionEndpointEnabled Values: true / false (default) Description: Set this property to true if you want to enable RP-Initiated logout with the URL specified on the provider_(id).endSessionEndpoint property. This applies if the endpoint was obtained either from a TAI property or discovery. If an end session endpoint is available and the endSessionEndpointEnabled property is set to false, you can still use the OidcClientHelper.getEndSessionEndpoint() method to retrieve the configured end session endpoint. ======================== provider_(id).endSessionRedirectUrl Description: Set this property to the value for the post_logout_redirect_uri parameter on the request to the end session endpoint on the OP. The OP redirects to this URL after logout is complete. Consult your OP documentation for the behavior that you will experience when the post_logout_redirect_uri parameter is not included in the logout request. ======================== provider_(id).endSessionUseLogoutExitPage Values: true / false (default) Description: Set this property to true if you want to use the value for the logoutExitPage parameter on an ibm_security_logout request as the value for the post_logout_redirect_uri parameter on the end session request to the OP. ======================== Three new methods are added to the com.ibm.websphere.security.oidc.util.OidcClientHelper API: static void logout(HttpServletRequest req, HttpServletResponse rsp) throws Exception; static void logout(HttpServletRequest req, HttpServletResponse rsp, String endSessionRedirectUrl) throws Exception; static void opLogout(HttpServletRequest req, HttpServletResponse rsp) throws Exception; /** * Invoke the OIDC TAI's logout method that is ordinarily * invoked by HttpServletRequest.logout and ibm_security_logout * * This method deletes cookies (through the * HttpServletResponse) object, removes cache entries, and if * configured to do so, sends a request to the OP to revoke * tokens and redirects the request to the OP's end session * endpoint. * * This method is intended to enable applications to kick off * an RP-Initiated logout without having to go through * HttpServletRequest.logout or ibm_security_logout. * * @param req request message * @param rsp response message * *@throws Exception if an error occurs during logout */ static void logout(HttpServletRequest req, HttpServletResponse rsp) throws Exception { /** * Invoke the OIDC TAI's logout method that is ordinarily * invoked by HttpServletRequest.logout and ibm_security_logout * * This method deletes cookies (through the * HttpServletResponse) object, removes cache entries, and if * configured to do so, sends a request to the OP to revoke * tokens and redirects the request to the OP's end session * endpoint. * * This method is intended to enable applications to kick off * an RP-Initiated logout without having to go through * HttpServletRequest.logout or ibm_security_logout. * * This method allows you to override the configured value * for the endSessionRedirectUrl property if the * provider_(id).endSessionUseLogoutExitPage property is set to * true. * * @param req request message * @param rsp response message * @param endSessionRedirectUrl value for the * post_logout_redirect_uri * parameter on the end session * request to the OP * *@throws Exception if an error occurs during logout */ static void logout(HttpServletRequest req, HttpServletResponse rsp, String endSessionRedirectUrl) throws Exception { /** * Invoke the OIDC TAI's logout method that is ordinarily * invoked by HttpServletRequest.logout and ibm_security_logout * * This method deletes cookies (through the * HttpServletResponse) object, removes cache entries, and if * configured to do so, sends a request to the OP to revoke * tokens and redirects the request to the OP's end session * endpoint. * * This method is intended to enable applications to kick off * an RP-Initiated logout without having to go through * HttpServletRequest.logout or ibm_security_logout. This * method ignores the value of the * provider_(id).endSessionEndpointEnabled property. If a * provider_(id).endSessionEndpoint property is configured, the * request is redirected to that endpoint * regardless of the * value for the endSessionEndpointEnabled * property. * * @param req request message * @param rsp response message * *@throws Exception if an error occurs during logout */ static void opLogout(HttpServletRequest req, HttpServletResponse rsp) throws Exception { The fix for this APAR is targeted for inclusion in fix packs 8.5.5.23 and 9.0.5.14. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH48083
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-07-19
Closed date
2022-09-16
Last modified date
2023-04-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 April 2023