IBM Support

PI96403: OIDC RP: SUPPORT IMPLICIT LOGIN FLOW FOR INITIAL REQUESTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The OpenID Connect (OIDC) TAI does not support implicit login
    flow for initial requests.  The
    provider_<id>.allowImplicitClientFlow custom property appears
    to be doing something different.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  and OpenID Connect                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC TAI does not support the       *
    *                      implicit login flow for initial login   *
    *                      requests.                               *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  includes                                    *
    *                  this APAR.                                  *
    ****************************************************************
    The OpenID Connect (OIDC) relying party (RP) Trust Association
    Interceptor (TAI) does not support the implicit login flow for
    initial login requests.
    

Problem conclusion

  • The following properties are added to the OIDC TAI to support th
    implicit login flow:
    
    ==========================
    provider_<id>.responseType
    Default: code
    Values: code, id_token, id_token token, id_token+token
    Description:
    This property defines the value for the [response_type] paramete
    that will be sent to the OpenID Connect provider on
    authentication requests. When [code] is specified, the OpenID
    connect code login flow is used.
    
    When the value is set to anything other than [code]:
    * The RP will run in implicit mode.
    * The OP server must support the [response_mode=form_post]
    parameter.
    * The OP will respond with an HTTP POST instead of an HTTP GET.
    
    ==========================
    provider_<id>.nonceEnabled
    default: false
    Description:
    When this property is set to true, a nonce parameter is sent to
    the OpenID Connect provider on the authentication request. When
    the responseType property is set to [code], this parameter
    defaults to false. When the responseType property set to anythin
    other than [code], this property will be set to [true] and canno
    be altered.
    
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18 and 9.0.5.4. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI96403

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-09

  • Closed date

    2020-09-14

  • Last modified date

    2020-09-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
15 September 2020