IBM Support

PI86752: OIDC RP IS REQUIRING OPTIONAL IAT CLAIM IN INTROSPECTED ACCESS TOKEN

Fixes are available

9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
PI96508: OIDC v1.05; OIDC RP may not connect to token endpoint due to SSL handshake failure
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
PH13175: OIDC v1.2.0; OIDC RP tokens are not revoked when sessions are evicted from the cache
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
9.0.5.6: WebSphere Application Server traditional Version 9.0.5 Fix Pack 6

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Using the WebSphere OIDC RP TAI, we want to establish trust
    using the access token in the HTTP header.
    
    The token is sent to the OpenId Provider (OP) introspection
    endpoint and successfully verified by the OP, but
    authentication fails because the OIDC TAI expects an "iat"
    claim in the JSON response from introspection endpoint.
    
    According to the OIDC spec, the iat claim is optional for the
    introspection response.
    

Local fix

  • Creating iFix
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server of the     *
    *                  OpenId Connect Relying Party                *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP is requiring optional       *
    *                      claims in the access token in an        *
    *                      introspection response                  *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    The OpenId Connect (OIDC) Relying Party (RP) TAI is requiring
    optional claims in the access token in an introspection
    response.  The required claims that should be optional
    are: exp, iat, scope, iss, and uniqueSecurityName.
    

Problem conclusion

  • The OIDC TAI is updated to not require optional claims.
    However, there are situations where an optional claim may be
    required.
    
    The following OIDC TAI custom properties are added:
    
    provider_<id>.defaultRealmName
    This property does not have a default value.
    The realm name to use if one is not obtained from the token.
    
    provider_<id>.verifyIssuerInIat
    true/false (default)
    Set this property to true if you want to validate the issuer
    (iss) in an introspection access token against the value for
    the provider_<id>.issuerIdentifier property in the OIDC
    configuration.
    
    If provider_<id>.mapIdentityToRegistryUser=false, a realm name
    must be available.  If provider_<id>.defaultRealmName has not
    been set, the claim associated with the realmIdentifier
    (default=iss) will be required.
    
    A user name must be resolved.  The claim associated with
    provider_<id>.uniqueUserIdentifier (default=sub) or sub must
    exist.  For instance, if you set uniqueUserIdentifier=abc,
    then you must have have the claim abc or sub.  If
    uniqueUserIdentifier evaulates to sub, then sub must exist.
    
    If the exp claim is not in the introspected access token, the
    expiration will be set to 60 minutes.
    
    If the iat claim is not in the introspected access token, the
    iat will default to current time.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.0.0.15, 9.0.0.6 and 8.5.5.13.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI86752

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-09-01

  • Closed date

    2017-09-18

  • Last modified date

    2017-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021