IBM Support

PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Download


Downloadable File

File link File size File description

Abstract

OIDC TAI Version v1.3.2; PH39666: OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Download Description

OIDC TAI Version: 1.3.2
 
THE FOLLOWING FIXES ARE PROVIDED:
Interim fix file
Readme file
Fix pack range
Editions
Readme file v8.5
8.5.5.3 through
8.5.5.20
WASProd
9.0.0.0-WS-WASProd-IFPH39666.zip Readme file v9.0 9.0.0.0 through
9.0.5.9
WASProd
9.0.5.10-WS-WASProd-IFPH39666.zip Readme file v9.0 9.0.5.10 WASProd


You can install these fixes from the IBM live service repository instead of downloading them. For information and step-by-step instructions, see the LIVE SERVICE REPOSITORY INSTALLATION section of this document.

AVOID TROUBLE:

When you are administering a cluster, the fix for this APAR must be applied to each cluster member. Failure to update all cluster members produces unpredictable results on both the updated and nonupdated cluster members.


PH39666 resolves the following problem:

ERROR DESCRIPTION:

OIDC RP initial login might fail when OIDCSTATE name contains a reserved token.

When an application is protected by the OpenID Connect Relying Party, an error like one of the following might occur upon initial login:

  • CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Cookie name "OIDCSTATE_BxEIAQzE+axNDRKbJvxvBGIcN8YrylsxeE4bFpeAfeA=_16272857 85897" is a reserved token].
    • This error occurs at the time the cookie is written.
    • This error occurs only when not using JavaScript and might be fixed by setting provider_(id).useJavaScript=true (the default).
  • CWTAI2019E: The state id [sS2cjek8eI1Ep9H+ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] in the OpenID Connect relying party (RP) state cookie [OIDCSTATE_rp1] does not match the state id [sS2cjek8eI1Ep9H ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] received from the OpenID Connect provider.
    • This error occurs when processing a login response from the OP. 
    • The original outbound stateId includes a plus sign, but the plus sign is missing from the stateId in the inbound response. 
    • The plus sign disappears because it has special meaning in a URL query string.  If a plus sign appears in a stateId, this error always occurs.
  • CWTAI2030I: The OpenID Connect TAI was unable to retrieve the request data with stateId [ThgkXKF1H4QGyBuHYGyn65ffJCoZUnawsBRTR861RsU%3D_1636053405653] from the state map. It may have expired.
    • This error occurs when processing a login response from the OP. 
    • The original outbound stateId includes an equal sign, but the RP retrieves a stateId from the response that has the equal sign encoded as a %3D.
    • It is normal for an OP to encode special characters on its outbound responses. However, it is not normal for the RP runtime to retrieve parameters that are still encoded.  When an equal sign is in the stateId, this error does not always occur.  You can see in the previous error that the equal sign is not encoded.
PROBLEM CONCLUSION:
The OIDC RP is creating stateIds that contains special characters that might be token separators as defined by https://datatracker.ietf.org/doc/html/rfc2616#section-2.2

The stateId is used as part of the extension of the OIDCSTATE_* cookie name that is written to the browser. It is also used as in index for the StateData cache. The stateId that the OIDC RP creates is sent to the OP in the authentication request, then the OP sends it back in the response. If there are any modifications to the stateId string, the OIDC RP does not recognize the request as its own and the request fails.

The OIDC RP is updated to ensure that stateIds do not contain special characters that include token separators.

The fix for this APAR is targeted for inclusion in fix pack 8.5.5.21 and 9.0.5.11. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

 
CUSTOM PROPERTIES AND JAVADOC:
To see a complete list of the custom properties supported in this version of the OIDC TAI, see the technote WebSphere OpenID Connect, Full Profile Custom Properties.

APARS INCLUDED IN THIS VERSION:
This fix is for the OpenID Connect (OIDC) Relying Party and JWT authentication features in WebSphere Application Server traditional, both of which are delivered in the OIDC trust association interceptor (TAI) JAR file. This fix is cumulative and contains all fixes that were in the code repository at the time the fix was created.

PI23430: Security Integrity fix for OpenID and OpenID connect
PI25298: OIDC on full profile can't authenticate with Liberty profile OP with an access token
PI25681: Remove export packages of the org.apache.commons.codec from com.ibm.ws.security.client.jar
PI33449: Full profile OpenID connect RP does not work with google OP
PI37687: IBM embedded WebSphere Application Server is missing the JAR files for OpenID and OpenID connect
PI47460: Add multi-provider support to OpenID connect relying party in the full profile
PI52604: OpenID connect SSO with active directory fails with 403 forbidden
PI55697: OpenID connect relying party: no entry in cache for stateid
PI56331: User might not be able to access web page that is protected with OIDC after initial login
PI59831: Support for using local x.509 public certificate for signature verification in OIDC
PI63906: OIDC: Allow config of contentType
PI64573: OIDC: A 403 error might occur when the OP URL encodes the state parameter
PI64924: OpenID connect RP cannot locate key in JWK set
PI65751: Do not require the interceptedPathFilter OIDC custom property
PI73318: OIDC: Unique cookie names can accumulate on the browser
PI74857: Privilege escalation in full profile OIDC RP (CVE-2017-1151)
PI75095: OIDC: ClassCastException java.util.ArrayList
PI78336: OIDC jndiCacheName property does not work
PI80317: OIDC RP might store incorrect data in DynaCache
PI80543: OIDC RP cannot dynamically build callback URL
PI80549: OIDC RP does not support POST introspection endpoints
PI82308: OIDC RP loses URL fragments during the login process
PI84244: OIDC RP does not restore single quotation mark characters in POST data
PI86752: OIDC RP is requiring optional iat claim in introspected access token
PI87354: OIDC RP cannot log out when OIDC session cookie is not present
PI88253: OIDC RP secure flag not set on the oidcrequrl cookie
PI88896: OIDC RP refreshed access_token is not put into subject
PI90373: OIDC RP authorizationEndpointURL does not handle query parameters correctly
PI92210: OIDC RP configuration of location of sign verify certificate is not customizable
PI92332: OIDC RP does not support op userinfo endpoint
PI94538: OIDC RP does not call the revocation endpoint on the OP on logout
PI96508: OIDC RP might not connect to token endpoint due to SSL handshake failure
PI96403: OIDC RP: support implicit login flow for initial requests
PH00569: OIDC RP handling of id_token expiry is not configurable
PH02192: OIDC RP extra <br/> tag added in saved post body
PH03525: OIDC RP might not intercept requests to http:// endpoints
PH07297: Denial of Service vulnerability in Guava (CVE-2018-10237)
PH08804: OIDC RP default identifiers are not available when customs are configured
PH10503: OIDC RP: sessionCacheTimeoutMinutes value is in seconds instead of minutes
PH10892: OIDC RP: There is no API for obtaining tokens or manually triggering access token refresh
PH11107: OIDC RP: port number is always included on redirect_uri parameter
PH11684: OIDC RP: failed to validate ID token, error that is emitted during verify [UnsupportedOperationException]
PH12520: OIDC TAI: Enable JWT authentication
PH13175: OIDC RP: Tokens are not revoked when sessions are evicted from the cache
PH14676: OIDC RP: omit client_secret OAuth 2.0 parameter when the client_secret is an empty string
PH15248: OidcClientHelper methods might return null unexpectedly
PH15626: OIDC RP: enable configuration of a login error url
PH17304: OIDC RP: cannot send a Content-Security-Policy header to the OpenID Connect provider
PH18150: OIDC RP: does not check the idtoken for an acr value when auth endpoint includes "acr_values"
PH19189: OIDC RP: cannot send a nonce parameter to an OP
PH19333: OIDC RP: unable to override the realm name in an idtoken
PH19907: OIDC RP: login fails when createSession=true and http sessions are exhausted
PH20118: OIDC RP: do require scope claim on response from OP
PH21008: The TAI is not enabled when any provider config fails to initialize
PH21178: OIDC RP: access token refresh might be erroneously attempted
PH21611: OIDC RP: might attempt to refresh access tokens that are not expired
PH21827: OIDC RP: NotSerializableException for JwtClaims error might occur
PH22038: OIDC RP: session cookie name is related to provider_<id>.clientId instead of provider_<id>.identifier
PH22195: OIDC RP: enable use OpenID provider's well-known configuration url (discovery)
PH22621: OIDC RP: add programmatic support for grant_type = client_credentials
PH23572: OIDC RP: code flow cannot be used when JavaScript is not enabled
PH23697: OIDC RP: add rs512 signature algorithm
PH24737: OIDC RP: make the introspection response available with an API
PH25547: OIDC RP: incorrect behavior when opaque token is in authorization header and useJwtFromRequest=ifPresent
PH25697: OIDC RP: sessionCacheTimeoutMinutes=0 is not overriding idtoken exp claim
PH25774: OIDC RP: session cookie value is too short
PH26523: OIDC RP: allow call to userinfo endpoint to be not active
PH26925: OIDC RP: generates JavaScript with extra 'end-script' to send to OP
PH27173: OIDC RP: login might fail when nonce is enabled
PH27213: OIDC RP: provide an option to not write an LTPA cookie in the OIDC path
PH27514: OIDC RP: add basic auth support for the JWK endpoint
PH27827: OIDC RP: support unique clientId and clientSecret for introspection endpoint
PH27971: OIDC RP: make end session endpoint available with an API
PH28253: OIDC RP: intercept callback from OP without special filter config
PH28386: OIDC RP: provide an option to validate a JWT access token
PH28534: OIDC RP: do not load config entry when there is no filter defined
PH29099: OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH30368: OIDC RP might not delete session cookie when SameSite cookie policy=lax
PH30911: OIDC RP: allow a resource parameter to be sent to the token and authorize endpoints
PH31682: OIDC RP might not load config from a nondefault security domain
PH32257: NotSerializableException when accessTokenIsJwt=true
PH33170: JWT authentication that uses custom cache key might be slow
PH34227: OIDC RP: support the basic_start_authorization scope
PH34840: OIDC RP: make the state parameter alphanumeric
PH35185: OIDC RP: authentication might fail with CWTAI2007e saying a nonce claim is required when the nonce is present
PH35481: OIDC APIs might not find an idToken token on the runAs subject
PH39666: OIDC RP: Initial login might fail when the OIDC stateId contains special characters
PH39847: OIDC RP: entry is never removed from cache when initial login is through introspection
PH40532: OIDC TAI might not remove OAuth access token cache entries
PH40533: OIDC TAI might encounter a thread hang when sessions are removed from the local cache
 
  • JAVA™ 7 OR LATER IS REQUIRED

    The OIDC v1.3.2 runtime on this page requires the use of Java version 7 or later:

    • The PH39666 interim fix for WebSphere traditional v8.5.5 installs on any fix pack to which it applies.
    • When an application server is running Java 6 or earlier:
      • The OpenID Connect (OIDC) Relying Party (RP) TAI is not initialized when the server is started.
      • When the OIDC TAI was configured to intercept requests previous to installing PH39666, after installing PH39666, your previously intercepted requests will be redirected to the default form login.

  • PREREQ APAR FIXES
    The v8.5.5 interim fix that is provided on this page prereqs the PI57465 enablement fix. For convenience, the interim fix files for PI57465 are packaged into v8.5.5 interim fix for APAR PH39666.
    If you do not already have an interim fix for PI57465 installed and you are installing on 8.5.5.9 or earlier, you are required to install the interim fix for PI57465:

    • When you are using the IBM Installation Manager GUI to install the fixes, the fix for PI57465 appears as a separate line-item that you must select. For instance, here is an example of what you might see when you attempt to install on WebSphere 8.5.5.4:
    • If the fix for PI57465 doesn't display, clear 'Show recommended only'
    • If you are using the Installation Manager imcl command to install the fix, you must specify the fix name for the appropriate PI57465 fix.
      • To see example imcl commands and the names of the PI57465 fixes included in the PH39666 interim fixes, see the COMMAND LINE INSTALLATION section of this document.

    You do not need to install an interim fix for the prereq APAR PI57465 on v9.0 or 8.5.5.10 or later because PI57465 is included in those fix packs.
     

  • LIVE SERVICE REPOSITORY INSTALLATION
    If you are installing by using the IBM Installation Manager GUI, you can install an interim fix for PH39666 from the IBM live service repository instead of downloading it.  Do the following actions in the Installation Manager:

    1. Select File > Preferences
    2. Click 'Repositories' from the list on the left
    3. Make sure that ' Search service repositories during installation and updates' is selected:
    4. Click OK
    5. Click Update
    6. Make sure that 'Update all packages with recommended updates and recommended fixes' is not selected:
    7. Choose the WebSphere instance that you want to update.
    8. Click Next
      • If you are prompted for your IBM ID and password
      • If you are not at the most recent fix pack level, the Update Packages window displays with the most recent fix pack preselected, for example:
    9. Do the following steps:
      • If you are at the most recent fix pack level, do the following:
        1. Select 'Show recommended only'.
        2. Clear any recommended update that you do not want to install.
          • Make sure that you do not clear the update for PH39666.
        3. Click Next
        4. Click Update
      • If you are not at the most recent fix pack level, do the following:
        1. Clear 'Show recommended only'.
        2. Scan through the list to find the entry for PI57465 and select it, for example:

          For a list of the fix names for PI57465, see the COMMAND LINE INSTALLATION section.
        1. Do the following actions based on whether you want to also update your fix pack level:
          • If you want to update to the most recent fix pack level, do the following:
            1. Click Next
            2. Go back and complete the previous steps as if you are at the most recent fix pack level.
          • If you want to update your fix pack to a level that is not the most recent, do the following:
            1. Clear 'Show recommended only'.
            2. Select the fix pack level that you want to install.
            3. Click Next
          • If you do not want to update your fix pack level, do the following:
            1. Clear 'Show recommended only'.
            2. Select 'Only fixes for version x.x.x.x', where x.x.x.x is your version and fix pack, for example:
            3. Click Next
            4. Clear any recommended update that you do not want to install.
              • Make sure that you do not clear the update for PH39666, for example.
        2. If you are installing on fix packs 8.5.5.3 through 8.5.5.9 and you do not have interim fix for the prerequisite APAR PI57465 installed, an error that says 'APAR PI57465 is required by x.x.x.x-WS-WASProd-IFPH39666' appears, for example:

          If you see this error, do the following:
        3. Click Next
        4. Click Update
  • COMMAND LINE INSTALLATION
    The fixes for PH39666 are installed by using the IBM Installation Manager. You can use the Installation Manager imcl command to install an interim fix from the command prompt.

    When you install an interim fix from the command prompt, you need to know the name of the fix that is contained within the interim fix file. The following table lists the fixes that are contained in each interim fix file for PH39666. For convenience, the fixes for the prerequisite APAR PI57465 are packaged into the interim fix file v8.5.5.

    Interim fix file
    Fix names
    Fix packs
    8.5.5.3-WS-WASProd-IFPH39666.zip 8.5.5.3-WS-WASProd-IFPH39666_8.5.5003.20211108_1838 8.5.5.3 through
    8.5.5.20
    8.5.5.3-WS-WASProd-IFPI57465_8.5.5003.20160623_1218 8.5.5.3 only
    8.5.5.4-WS-WASProd-IFPI57465_8.5.5004.20160623_1211 8.5.5.4 through
    8.5.5.5
    8.5.5.6-WS-WASProd-IFPI57465_8.5.5006.20160623_1208 8.5.5.6 only
    8.5.5.7-WS-WASProd-IFPI57465_8.5.5007.20160623_1202 8.5.5.7 through
    8.5.5.9
    9.0.0.0-WS-WASProd-IFPH39666.zip 9.0.0.0-WS-WASProd-IFPH39666_9.0.0.20211108_1645 9.0.0.0 through
    9.0.5.10
      Example commands:
    • Installation of PH39666 only:
      The following example shows how you can install on an 8.5.5 fix pack that includes PI57465 (8.5.5.10 or later).  If you previously installed an interim fix for PI57465, you can also use this command on 8.5.5.3 through 8.5.5.9.
       
      ./imcl install 8.5.5.3-WS-WASProd-IFPH39666_8.5.5003.20211108_1838 -installationDirectory /opt/IBM/WebSphere/AppServer -repositories /tmp/ifixes/8.5.5.3-WS-WASProd-IFPH39666.zip
    • Installation of PH39666 and PI57465:
      If you do not already have an interim fix for the prereq APAR PI57465 installed, the following example shows how you can install on 8.5.5.7 through 8.5.5.9 using imcl:
       
      ./imcl install 8.5.5.7-WS-WASProd-IFPI57465_8.5.5007.20160623_1202 8.5.5.3-WS-WASProd-IFPH39666_8.5.5003.20211108_1838 -installationDirectory /opt/IBM/WebSphere/AppServer -repositories /tmp/ifixes/8.5.5.3-WS-WASProd-IFPH39666.zip

    IBM Documentation references:
    Installing interim fixes on distributed operating systems by using the command line
    Command line arguments for the imcl command

     
  • SUPERSEDED APAR FIXES
    The fixes for PH39666 on this page supersede the fixes published for PI47460, PI55697, PI64573, PI65751, PI74857, PI80317, PI82308PI96508PI82308PH08804PH13175PH21827, and PH29099. Those fixes are removed from their pages and are replaced by these fixes for PH39666.

    Since the fixes for PH39666 included on this page supersede the fixes for PI47460, PI55697, PI64573, PI65751, PI74857, PI80317, PI82308, PI96508, PH08804, PH13175, PH21827, and PH29099 the Installation Manager allows it to be installed on top of any of those fixes. It is up to you to decide to uninstall or any or all of those fixes before you install a fix for PH39666.
  • APPLICABLE FIX PACKS
    The OpenID Connect feature of WebSphere Application Server v855 is supported starting in fix pack 8.5.5.3.  Therefore, this APAR does not apply to, nor are interim fixes available for fix packs 8.5.5.0 through 8.5.5.2.

     

Keywords: IBMWL3WSS, OIDC, INTERIMFIX

Prerequisites

PI57465 (only for 8.5.5.9 or earlier)

Installation Instructions

Review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V85 readme file 8065
V90 readme file 7925
.

Download Package

DOWNLOAD RELEASE DATE SIZE(Bytes)

DOWNLOAD Options

What is Fix Central(FC)?

8.5.5.3-WS-WASProd-IFPH39066 11-12-2021 4429184 FC
9.0.0.0-WS-WASProd-IFPH39066 11-12-2021 3991575 FC
9.0.0.10-WS-WASProd-IFPH39066 12-16-2021 3952027 FC
.

Problems Solved

PH39066

Off

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.0;9.0.5"}]

Problems (APARS) fixed
PI23430;PI25298;PI25681;PI33449;PI37687;PI47460;PI52604;PI55697;PI56331;PI59831;PI63906;PI64573;PI64924;PI65751;PI73318;PI74857;PI75095;PI78336;PI80317;PI80543;PI80549;PI82308;PI84244;PI86752;PI87354;PI88253;PI88896;PI90373;PI92210;PI92332;PI94538;PI96508;PH00569;PH02192;PH03525;PH07297;PH08804;PH10503;PH10892;PH11107;PH11684;PH12520;PH13175;PH13175;PH14676;PH15248;PH15626;PH17304;PH18150;PH18189;PH19189;PH19333;PH19907;PH20118;PH21008;PH21178;PH21611;PH21827;PH22038;PH22195;PH22621;PH23572;PH23697;PH24737;PH25547;PH25697;PH25774;PH26523;PH26925;PH27173;PH27213;PH27827;PH27971;PH28253;PH28386;PH28534;PH29099;PH30368;PH30911;PH31682;PH32257;PH33170;PH34227;PH34840;PH35185;PH35481;PH36066;PH39847;PH40532;PH40533

Document Information

Modified date:
16 December 2021

UID

ibm16513845