APAR status
Closed as program error.
Error description
The OpenID Connect (OIDC) TAI does not support implicit login flow for initial requests. The provider_<id>.allowImplicitClientFlow custom property appears to be doing something different.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI does not support the * * implicit login flow for initial login * * requests. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes * * this APAR. * **************************************************************** The OpenID Connect (OIDC) relying party (RP) Trust Association Interceptor (TAI) does not support the implicit login flow for initial login requests.
Problem conclusion
The following properties are added to the OIDC TAI to support th implicit login flow: ========================== provider_<id>.responseType Default: code Values: code, id_token, id_token token, id_token+token Description: This property defines the value for the [response_type] paramete that will be sent to the OpenID Connect provider on authentication requests. When [code] is specified, the OpenID connect code login flow is used. When the value is set to anything other than [code]: * The RP will run in implicit mode. * The OP server must support the [response_mode=form_post] parameter. * The OP will respond with an HTTP POST instead of an HTTP GET. ========================== provider_<id>.nonceEnabled default: false Description: When this property is set to true, a nonce parameter is sent to the OpenID Connect provider on the authentication request. When the responseType property is set to [code], this parameter defaults to false. When the responseType property set to anythin other than [code], this property will be set to [true] and canno be altered. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.4. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PI96403
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-04-09
Closed date
2020-09-14
Last modified date
2020-09-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021