IBM Support

PH53612: JWT token validation fails even when there is a token provider with valid claim in the list of token providers.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • CICS TG has been corrected to validate the token with all token
    providers in the list after receiving the
     jwt.exceptions.InvalidClaimException.
    

Local fix

Problem summary

  • PROBLEM SUMMARY:
    
    CICS TG provisions to define multiple TOKENPROVIDERS in the CICS
     IPIC server section.
    Example:
    ========
    In CICS TG configuration,
    - TOKENPROVIDERA is configured with claim "aud" ="SAMPLE1"
    - TOKENPROVIDERB is configured with claim "aud" = "SAMPLE2"
    
    In IPIC server section, the TOKENPROVIDERS are configured as
    mentioned below
    
    SECTION IPICSERVER CICSA {
    ..........
    TOKENPROVIDERS:TOKENPROVIDERB,TOKENPROVIDERA
    .......... }
    
    In addition, when the JWT token payload from client has claim
     details as below.
    
    . {................., "aud": "SAMPLE1" ,................, }
    
    This scenario would result in a security error at the client
     side and InvalidClaimException is logged in the CICS TG traces
     . This scenario needs to be corrected to validate the token
     with all token providers in the list.
    
    You may see the below stack trace in the CICS TG traces after
     this problem,
    
    JWTToken:<- [validate] = false
    JWTToken:com.auth0.jwt.exceptions.InvalidClaimException: The
    Claim 'aud' value doesn't contain the required audience.
    at com.auth0.jwt.JWTVerifier.assertValidAudienceClaim(
    JWTVerifier.java:485)
    at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:401)
    at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:387)
    at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:370)
    at com.ibm.ctg.server.JWTToken.validate(Unknown Source)
    at com.ibm.ctg.server.ServerECIRequest.executeECI(Unknown Source
    )
    at com.ibm.ctg.server.ServerECIRequest.execute(Unknown Source)
    at com.ibm.ctg.server.Worker.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:825)
    JWTToken:<- [validate] = false
    
    CTG9950E CTGSVIJ1 JWT Token validation failed: All Tokenprovider
     validations failed
    

Problem conclusion

  • CICS TG has been corrected to validate the token with all token
    providers in the list after receiving the
    jwt.exceptions.InvalidClaimException.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH53612

  • Reported component name

    CTG V9 FOR Z/OS

  • Reported component ID

    5655Y2000

  • Reported release

    930

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2023-03-30

  • Closed date

    2023-05-18

  • Last modified date

    2023-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI91881

Modules/Macros

  • CTG00199 CTG00201 CTG00204 CTG00628
    

Fix information

  • Fixed component name

    CTG V9 FOR Z/OS

  • Fixed component ID

    5655Y2000

Applicable component levels

  • R930 PSY UI91881

       UP23/05/19 P F305

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O","label":"CICS Transaction Gateway"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"9.3"}]

Document Information

Modified date:
01 June 2023