IBM Support

PI76629: Add authentication option to JWK endpoint invocation

Fixes are available

17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
21.0.0.3: WebSphere Application Server Liberty 21.0.0.3
21.0.0.4: WebSphere Application Server Liberty 21.0.0.4
21.0.0.5: WebSphere Application Server Liberty 21.0.0.5
21.0.0.6: WebSphere Application Server Liberty 21.0.0.6
21.0.0.7: WebSphere Application Server Liberty 21.0.0.7
21.0.0.8: WebSphere Application Server Liberty 21.0.0.8
21.0.0.9: WebSphere Application Server Liberty 21.0.0.9
21.0.0.1: WebSphere Application Server Liberty 21.0.0.1
21.0.0.2: WebSphere Application Server Liberty 21.0.0.2

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Some JWK endpoint implementation (e.g. UAA) requires client
    to
    present authentication credential as Authorization HTTP
    header,
    and Liberty RP does not have configuration option to create
    the
    authorization header.
    

Local fix

  • Use a local keystore or a JWK endpoint which does not require
    authentication
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - OpenID Connect             *
    ****************************************************************
    * PROBLEM DESCRIPTION: OpenID Connect relying party does not   *
    *                      add authorization HTTP header to the    *
    *                      JWK endpoint requests                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Some JWK endpoint implementations(such as UAA) requires clients
    to
    present authentication credential as Authorization HTTP header.
    Liberty OpenID Connect Relying Party does not add this header,
    resulting in failure to get the keys necessary to verify the
    tokens.
    

Problem conclusion

  • Introduced new configuration in OpenID Connect client/relying
    party (RP) to create the authorization header when invoking the
    JWK endpoint requests.
    Two new attributes are added and these are,
    
    jwkClientId = Specifies the client identifier to include in the
    basic authentication scheme of the JWK (Json Web Key) request.
    jwkClientSecret = Specifies the client password to include in
    the basic authentication scheme of the JWK (Json Web Key)
    request.
    
    Example server configuration with these attributes specified:
    
    <server>
    ..
    
     <openidConnectClient
            id="client01"
    ..
    ..
    
    jwkEndpointUrl="https://hostname:portname/oidc/endpoint/oidcProv
    ider/jwk"
            jwkClientId = "user1"
            jwkClientSecret = "user1password"
    ..
     </openidConnectClient>
    </server>
    
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 17.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI76629

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-14

  • Closed date

    2017-05-18

  • Last modified date

    2017-05-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
01 December 2021