IBM Support

PI96403: OIDC RP: SUPPORT IMPLICIT LOGIN FLOW FOR INITIAL REQUESTS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect (OIDC) TAI does not support implicit login
    flow for initial requests.  The
    provider_<id>.allowImplicitClientFlow custom property appears
    to be doing something different.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI does not support the       *
    *                      implicit login flow for initial login   *
    *                      requests.                               *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes                                    *
    *                  this APAR.                                  *
    ****************************************************************
    The OpenID Connect (OIDC) relying party (RP) Trust Association
    Interceptor (TAI) does not support the implicit login flow for
    initial login requests.
    

Problem conclusion

  • The following properties are added to the OIDC TAI to support th
    implicit login flow:
    
    ==========================
    provider_<id>.responseType
    Default: code
    Values: code, id_token, id_token token, id_token+token
    Description:
    This property defines the value for the [response_type] paramete
    that will be sent to the OpenID Connect provider on
    authentication requests. When [code] is specified, the OpenID
    connect code login flow is used.
    
    When the value is set to anything other than [code]:
    * The RP will run in implicit mode.
    * The OP server must support the [response_mode=form_post]
    parameter.
    * The OP will respond with an HTTP POST instead of an HTTP GET.
    
    ==========================
    provider_<id>.nonceEnabled
    default: false
    Description:
    When this property is set to true, a nonce parameter is sent to
    the OpenID Connect provider on the authentication request. When
    the responseType property is set to [code], this parameter
    defaults to false. When the responseType property set to anythin
    other than [code], this property will be set to [true] and canno
    be altered.
    
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI96403

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-09

  • Closed date

    2020-09-14

  • Last modified date

    2020-09-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
02 November 2021