Fixes are available
PI47460: Add multi-provider support to OpenID Connect Relying Party in the full profile
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
PI55697: OpenID Connect Relying Party : No entry in cache for stateid
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
The WebSphere Application Server full profile OpenID Connect RP will not work with multiple OpenID Connect providers. The Trust Association Interceptor (TAI) configuration of RP will only allow one provider to be configured.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect relying party * **************************************************************** * PROBLEM DESCRIPTION: The OpenID Connect Relying Party (RP) * * TAI does not support multiple * * providers. * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** The current implementation of the OpenID Connect relying party Trust Association Interceptor (TAI) in the full profile only supports the configuration of a single provider. If a user needs to configure the TAI to interact with multiple providers, they cannot do it.
Problem conclusion
The OpenID Connect relying party TAI is updated to add multi-provider support. You can configure each provider by embedding a provider_<id> in the TAI property name. The provider_<id>s are numbered sequentially for each OP. There are some TAI properties that apply to all the providers and these properties are not prefixed with provider_<id>. For example, you can configure two providers as shown below: provider_1.identifier=provider1 provider_1.interceptedPathFilter=/testapp1 provider_1.clientId=client01 provider_1.clientSecret=secret_01 provider_1.authorizeEndpointUrl=https://localhost:8020/oidc/endp oint/OP/authorize provider_1.tokenEndpointUrl=https://localhost:8020/oidc/endpoint /OP/token provider_1.scope=openid general provider_2.identifier=provider2 provider_2.interceptedPathFilter=/testapp2 provider_2.clientId=client02 provider_2.clientSecret=secret_02 provider_2.authorizeEndpointUrl=https://accounts.google.com/o/oa uth2/auth provider_2.tokenEndpointUrl=https://www.googleapis.com/oauth2/v3 /token provider_2.scope=openid general email provider_2.jwkEndpointUrl=https://www.googleapis.com/oauth2/v2/c erts provider_2.issuerIdentifier=accounts.google.com provider_2.signatureAlgorithm=RS256 provider_2.userIdentifier=email callbackServletContext=/oidcclient See http://www14.software.ibm.com/webapp/wsbroker/redirect?version=p hil&product=was-nd-dist&topic=csec_oidprop for more information on the OpenID Connect RP custom properties. The fix for this APAR is currently targeted for inclusion in fix packs 8.0.0.12 and 8.5.5.8. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI47460
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-08-24
Closed date
2015-09-18
Last modified date
2015-09-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022