IBM Support

PI57265: Add OpenID Connect relying party (RP) config option to specify w hether to do client side redirect

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When the clients access OIDC protected resources without the
    authentication, the RP runtime redirects the clients (to OP)
    by sending the response code 200 and also includes a
    javascript in the response. This will be a problem for the
    clients that cannot support javascript and/or stop the
    request processing when they see the 200 response code.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty Profile - Web Services       *
    *                  Security                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: OIDC RP performs client side redirect   *
    *                      by including javascript and also        *
    *                      responds with 200 OK                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When the clients access OIDC protected resources without the
    authentication, the RP runtime redirects the clients (to OP) by
    sending the response code 200 and also includes javascript in
    the response. This will be a problem for the clients that cannot
    support javascript and/or stop the request processing when they
    see the 200 response code.
    

Problem conclusion

  • Add an OpenID Connect relying party (RP) config option to
    specify whether to do the client side redirect. The new option
    is "isClientSideRedirectSupported" and default value is "true".
    If the clients cannot handle either javascript or the response
    code 200, then they can set this new configuration option to
    "false".
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 8.5.5.9.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI57265

  • Reported component name

    WAS LIBERTY COR

  • Reported component ID

    5725L2900

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-02-15

  • Closed date

    2016-02-24

  • Last modified date

    2016-02-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS LIBERTY COR

  • Fixed component ID

    5725L2900

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
16 October 2021