IBM Support

PH39666: OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Download


Downloadable File

File link File size File description

Abstract

PH39666: OIDC RP: Initial login might fail when the OIDC stateId contains special characters

Download Description


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

PH39666 resolves the following problem:

ERROR DESCRIPTION:

OIDC RP initial login might fail when OIDCSTATE name contains a reserved token.

When an application is protected by the OpenID Connect Relying Party, an error like one of the following might occur upon initial login:

  • CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Cookie name "OIDCSTATE_BxEIAQzE+axNDRKbJvxvBGIcN8YrylsxeE4bFpeAfeA=_16272857 85897" is a reserved token].
    • This error occurs at the time the cookie is written.
    • This error occurs only when not using JavaScript and might be fixed by setting provider_(id).useJavaScript=true (the default).
  • CWTAI2019E: The state id [sS2cjek8eI1Ep9H+ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] in the OpenID Connect relying party (RP) state cookie [OIDCSTATE_rp1] does not match the state id [sS2cjek8eI1Ep9H ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] received from the OpenID Connect provider.
    • This error occurs when processing a login response from the OP. 
    • The original outbound stateId includes a plus sign, but the plus sign is missing from the stateId in the inbound response. 
    • The plus sign disappears because it has special meaning in a URL query string.  If a plus sign appears in a stateId, this error always occurs.
  • CWTAI2030I: The OpenID Connect TAI was unable to retrieve the request data with stateId [ThgkXKF1H4QGyBuHYGyn65ffJCoZUnawsBRTR861RsU%3D_1636053405653] from the state map. It may have expired.
    • This error occurs when processing a login response from the OP. 
    • The original outbound stateId includes an equal sign, but the RP retrieves a stateId from the response that has the equal sign encoded as a %3D.
    • It is normal for an OP to encode special characters on its outbound responses. However, it is not normal for the RP runtime to retrieve parameters that are still encoded.  When an equal sign is in the stateId, this error does not always occur.  You can see in the previous error that the equal sign is not encoded.
PROBLEM CONCLUSION:
The OIDC RP is creating stateIds that contains special characters that might be token separators as defined by https://datatracker.ietf.org/doc/html/rfc2616#section-2.2

The stateId is used as part of the extension of the OIDCSTATE_* cookie name that is written to the browser. It is also used as in index for the StateData cache. The stateId that the OIDC RP creates is sent to the OP in the authentication request, then the OP sends it back in the response. If there are any modifications to the stateId string, the OIDC RP does not recognize the request as its own and the request fails.

The OIDC RP is updated to ensure that stateIds do not contain special characters that include token separators.

The fix for this APAR is targeted for inclusion in fix pack 8.5.5.21 and 9.0.5.11. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.

Off

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.0;9.0.5"}]

Document Information

Modified date:
22 September 2022

UID

ibm16513845