This document contains information about and a link to the latest version of the WebSphere® Application Server OpenID Connect (OIDC) Trust Association Interceptor (TAI). If you are having any issues with your OIDC TAI, ensure that you are running the latest version of the TAI before you start to troubleshoot the problem.
Resolving The Problem
The latest version of the OIDC TAI can be found here:
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
The latest version of the OIDC TAI is 1.3.2. Instructions for how to determine the version of your OIDC TAI are included later in this document.
The following WebSphere Application Server fix packs contain the latest version of the OIDC TAI:
|WebSphere Application Server Release||Earliest fix pack containing latest OIDC version|
The OIDC TAI implementation is encapsulated in a single JAR file and can be replaced in its entirety to update to the latest version of the code. The OIDC TAI code is updated frequently, so IBM support regularly publishes new versions of the OIDC TAI outside of the fix pack cycles.That APAR interim fix link that is provided in this document includes the following information:
When you are not running the latest version of the OIDC TAI, you can do one of the following to update your OIDC TAI to the latest version:
To determine the version of the OIDC TAI that you have, you can do the following in a command window:
java -cp ./com.ibm.ws.security.oidc.client.jar com.ibm.ws.security.oidc.util.Version
When the JAR file was installed with an APAR interim fix, the version that is displayed will be in numeric form, for example: 1.05. When the JAR file was installed with a fix pack, the version will be displayed with fix pack information, for example: 8.5.5 cf091605.01.
When when you run this command, you get the following error, then you are running an outdated version of the OIDC TAI and you must install the latest version:
|Exception in thread "main" java.lang.NoClassDefFoundError: com.ibm.ws.security.oidc.util.Version|
To find the version of the OIDC TAI from a trace, search for getVersion:
|[11/04/21 11:39:54:156 CST] 00000001 RelyingParty < getVersion returns [1.3.2] Exit|
If the version is 1.0, then you are running an outdated version of the OIDC TAI and you must install the latest version.
This information is only emitted one time when base security initializes the interceptors. If your trace is not gathered from application server startup, you will not see it.
The OpenID Connect feature of WebSphere Application Server is supported starting in the following fix packs:
You cannot install the OIDC TAI feature on a fix pack that is earlier than one of these fix packs. If you want to use the OIDC TAI, you must upgrade to one of these fix packs or later, then install the latest OIDC TAI.
This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS, and tWAS.
09 November 2021