IBM Support

Obtaining WebSphere OpenID Connect (OIDC) latest version

Troubleshooting


Problem

This document contains information about and a link to the latest version of the WebSphere® Application Server OpenID Connect (OIDC) Trust Association Interceptor (TAI). If you are having any issues with your OIDC TAI, ensure that you are running the latest version of the TAI before you start to troubleshoot the problem.

Resolving The Problem

 


Component: Topic:

 

LATEST VERSION: 1.4.0


The latest version of the OIDC TAI can be found here:

PH49566: OIDC v1.4.0; OIDC: CWTAI2047E when more than one key without alg claim in JWK

The latest version of the OIDC TAI is 1.4.0. Instructions for how to determine the version of your OIDC TAI are included later in this document.

The following WebSphere Application Server fix packs contain the latest version of the OIDC TAI:
WebSphere Application Server Release Earliest fix pack containing latest OIDC version
8.5.5 n/a
9.0 n/a
 

WHAT IT IS:

The OIDC TAI implementation is encapsulated in a single JAR file and can be replaced in its entirety to update to the latest version of the code. The OIDC TAI code is updated frequently, so IBM support regularly publishes new versions of the OIDC TAI outside of the fix pack cycles.

That APAR interim fix link that is provided in this document includes the following information:
  • A list of the APARs included in the fix
  • Install instructions
  • Links to any prereq APARs
  • Applicable fix packs
 

WHAT TO DO:

When you are not running the latest version of the OIDC TAI, you can do one of the following to update your OIDC TAI to the latest version:

  1. Install an interim fix for the APAR in the link that is provided in this document.
  2. Install a fix pack that includes the latest OIDC TAI for your WebSphere version; do the following:
    • Using the table at the beginning of this document, get the earliest fix pack number that contains the latest OIDC version for your release; then, do one of the following:
      • If a fix pack number is listed:
        • Install that fix pack or later
      • If a fix pack number is not listed:
        • You must install an interim fix for the latest APAR instead
 

OBTAINING THE OIDC TAI VERSION FROM YOUR JAR:

To determine the version of the OIDC TAI that you have, you can do the following in a command window:

cd (was_home)/plugins
java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Version

com.ibm.ws.security.oidc.client.jar
1.0.5
  • When the JAR was installed with an "OIDC VERSION" APAR (like the one that this document references), the version is displayed in numeric form, for example: 1.0.5.
  • When the JAR was installed with an APAR interim fix, the version that is displayed is in APAR format, for example: PH12345.
  • When the JAR file was installed with a fix pack, the version is displayed with fix pack information, for example: 8.5.5 cf091605.01. (This is translated as WebSphere version 8.5.5, build number cf091605.01, or 8.5.5.9)

If you get the following error when you run this command, then you are running an outdated version of the OIDC TAI and you must install the latest version:
Exception in thread "main" java.lang.NoClassDefFoundError: com.ibm.ws.security.oidc.util.Version
 

OBTAINING THE OIDC TAI VERSION FROM A TRACE:

To find the version of the OIDC TAI from a trace, search for getVersion:

[11/04/21 11:39:54:156 CST] 00000001 RelyingParty < getVersion returns [1.4.0] Exit
  • If the version is 1.0, then you are running an outdated version of the OIDC TAI and you must install the latest version.
  • See the previous OBTAINING THE TAI VERSION FROM YOUR JAR section for the various formats of the values that you might see from getVersion.
 

SUPPORTED FIX PACKS:

The OpenID Connect feature of WebSphere Application Server is supported starting in the following fix packs:

 
  • 8.5.5.3
  • 9.0.0.0

You cannot install the OIDC TAI feature on a fix pack that is earlier than one of these fix packs. If you want to use the OIDC TAI, you must upgrade to one of these fix packs or later, then install the latest OIDC TAI.

Note:

This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.0;9.0.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
22 September 2022

UID

swg21997883