PI95405: LIBERTY MAY NOT FIND KEY IN JWK BY X5T

Fixes are available

APAR status

Closed as program error.

Error description

A key cannot be referenced from a jwk using OpenID Connect
in
Liberty.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server Liberty and JWT authentication       *
****************************************************************
* PROBLEM DESCRIPTION: Liberty may not be able to find a key   *
*                      refrenced with x5t in the JWT           *
*                      authentication scenario                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
In the JSON Web Token (JWT) authentication scenario, where the
inboundPropagation openidConnectClient configuration attribute
is set to required, if the JWT is signed with RS256 and the key
is referenced with x5t, Liberty cannot resolve the key for
signature validation.
An entry like this may be observed in a Liberty OIDC trace:
[3/9/18 19:52:16:861 UTC] 00000033 JwKRetriever  <
getPublicKeyFromJwk Exit
null
[3/9/18 19:52:16:861 UTC] 00000033 OidcClientCon >
getSignatureAlgorithm Entry
RS256
No Key
CWWKS1739E: A signing key
required by signature algorithm [RS256] was not available.
This issue does not apply to the Liberty OpenID Connect client.
The Liberty OpenID Connect client can resolve a key referenced
with x5t to verify an id_token.

Problem conclusion

Liberty is updated so that it is able to obtain a key that is
referenced with x5t from a JWT that is signed with RS256 in the
JWT authentication scenario.

The fix for this APAR is currently targeted for inclusion in fix
pack 18.0.0.3.  Please refer to the Recommended Updates page for
delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI95405
Reported component name
LIBERTY PROFILE
Reported component ID
5724J0814
Reported release
CD0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-03-19
Closed date
2018-04-04
Last modified date
2018-10-23

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
LIBERTY PROFILE
Fixed component ID
5724J0814

Applicable component levels

RCD0 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
03 May 2022

Tips

PI95405: LIBERTY MAY NOT FIND KEY IN JWK BY X5T

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

RCD0 PSY

Document Information

Share your feedback

Need support?