IBM Support

Obtaining WebSphere OpenID Connect (OIDC) latest version

Troubleshooting


Problem

This document contains information about and a link to the latest version of the WebSphere® Application Server OpenID Connect (OIDC) Trust Association Interceptor (TAI). If you are having any issues with your OIDC TAI, ensure that you are running the latest version of the TAI before you start to troubleshoot the problem.

Resolving The Problem

 


Component: Topic:

 

LATEST VERSION: 1.3.2


The latest version of the OIDC TAI can be found here:

PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters

The latest version of the OIDC TAI is 1.3.2. Instructions for how to determine the version of your OIDC TAI are included later in this document.

The following WebSphere Application Server fix packs contain the latest version of the OIDC TAI:
WebSphere Application Server Release Earliest fix pack containing latest OIDC version
8.5.5 n/a
9.0 n/a
 

WHAT IT IS:

The OIDC TAI implementation is encapsulated in a single JAR file and can be replaced in its entirety to update to the latest version of the code. The OIDC TAI code is updated frequently, so IBM support regularly publishes new versions of the OIDC TAI outside of the fix pack cycles.

That APAR interim fix link that is provided in this document includes the following information:
  • A list of the APARs included in the fix
  • Install instructions
  • Links to any prereq APARs
  • Applicable fix packs
 

WHAT TO DO:

When you are not running the latest version of the OIDC TAI, you can do one of the following to update your OIDC TAI to the latest version:

  1. Install an interim fix for the APAR in the link that is provided in this document.
  2. Install a fix pack that includes the latest OIDC TAI for your WebSphere version; do the following:
    • Using the table at the beginning of this document, get the earliest fix pack number that contains the latest OIDC version for your release; then do one of the following:
      • If a fix pack number is listed:
        • Install that fix pack or later
      • If a fix pack number is not listed:
        • You must install an interim fix for the latest APAR instead
 

OBTAINING THE OIDC TAI VERSION FROM YOUR JAR:

To determine the version of the OIDC TAI that you have, you can do the following in a command window:

cd (was_home)/plugins
java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Version

com.ibm.ws.security.oidc.client.jar
1.05

When the JAR file was installed with an APAR interim fix, the version that is displayed will be in numeric form, for example: 1.05. When the JAR file was installed with a fix pack, the version will be displayed with fix pack information, for example: 8.5.5 cf091605.01.

When when you run this command, you get the following error, then you are running an outdated version of the OIDC TAI and you must install the latest version:
Exception in thread "main" java.lang.NoClassDefFoundError: com.ibm.ws.security.oidc.util.Version
 

OBTAINING THE OIDC TAI VERSION FROM A TRACE:

To find the version of the OIDC TAI from a trace, search for getVersion:

[11/04/21 11:39:54:156 CST] 00000001 RelyingParty < getVersion returns [1.3.2] Exit

If the version is 1.0, then you are running an outdated version of the OIDC TAI and you must install the latest version.

This information is only emitted one time when base security initializes the interceptors. If your trace is not gathered from application server startup, you will not see it.

 

SUPPORTED FIX PACKS:

The OpenID Connect feature of WebSphere Application Server is supported starting in the following fix packs:

 
  • 8.5.5.3
  • 9.0.0.0

You cannot install the OIDC TAI feature on a fix pack that is earlier than one of these fix packs. If you want to use the OIDC TAI, you must upgrade to one of these fix packs or later, then install the latest OIDC TAI.

Note:

This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.0;9.0.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
09 November 2021

UID

swg21997883