IBM Support

PH08804: OIDC RP default identifiers are not available when customs are configured

Download


Downloadable File

Abstract

OIDC RP default identifiers are not available when customs are configured.

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


PI80317 resolves the following problem:

ERROR DESCRIPTION:

In the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), the user name must exist in only one claim in every JWT. Either the default claim (sub) or an identifier for the custom claim must be configured.

If most of the JWTs received by the RP contain the sub claim, but only a few don't, the OIDC RP will not operate properly. The administrator must make sure that all his OPs are standardized to meet the consistent claim requirement. This may not be possible for some administrators.


PROBLEM CONCLUSION:

The OIDC RP is updated to allow the TAI to use either the default or a custom identifier for user, unique user, group, or realm.

The following property is added to the OIDC RP TAI custom properties:

Property Values Description
provider_<id>.useDefaultIdentifierFirst true, false (default)

Specifies that, if a custom identifier is specified for the user (userIdentifier), unique user (uniqueUserIdentifier), group (groupIdentifier), or realm (realmIdentifier), the custom value will only be used if the default value does not exist in the token.

For example, if useDefaultIdentifierFirst=true and userIdentifier=username, for a JWT that contains sub=user1 and username=user2, the resolved user name would be user1. If useDefaultIdentifierFirst=false, the resolved user name would be user2.

 

The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.16 and 9.0.0.12. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

Installation Instructions

Off

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"}],"Version":"9.0;8.5.5","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 July 2019

UID

ibm10875512