Fixes are available
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
The WebSphere Application Server OpenId Connect Relying Party expects multi-valued group attributes, but in certain cases the OP can send a single-valued group attribute.
Local fix
Configure the OP to send a multi-valued group attribute
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect (OIDC) * **************************************************************** * PROBLEM DESCRIPTION: OIDC ClassCastException * * java.util.ArrayList * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** The OpenID Connect Trust Association Interceptor may return a 403 to a client request, leaving the following FFDC: [1/25/17 15:47:36:764 MST] 000000de FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /usr/WebSphere/AppServer/profiles/AppSrvr/logs/ffdc/server1_4cb7 d750_17.01.25_15.47.36.7608905319016880026677.txt com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation 590 [1/25/17 15:47:36:765 MST] 000000de WebAuthentica ESECJ0128E: An unexpected exception occurred during Trust Association. The exception is java.lang.ClassCastException: java.lang.String incompatible with java.util.ArrayList at com.ibm.ws.security.oidc.client.SessionData.getGroupIds(SessionD ata.java:407) at com.ibm.ws.security.oidc.client.SessionData.getJaasSubject(Sessi onData.java:565) at com.ibm.ws.security.oidc.client.RelyingParty.AuthenticateUsingSe ssionCookie(RelyingParty.java:612) at ...
Problem conclusion
If a JSON Web Token (JWT) has a group with only one member, the group query will return a String instead of an ArrayList. The OIDC code is expecting an ArrayList, thus the ClassCastException. The OIDC runtime is updated to allow a String or ArrayList return from the group query of a JWT. The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.14, 8.5.5.12 and 9.0.0.4. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI75095
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-01-17
Closed date
2017-03-07
Last modified date
2017-03-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
R900 PSY
UP
Document Information
Modified date:
04 May 2022