IBM Support

TroubleShoot: OpenID Connect, WebSphere Liberty

Troubleshooting


Problem

This document contains troubleshooting information for the OpenID Connect (OIDC) feature in WebSphere® Application Server Liberty. This can help address common issues with this component before calling IBM support and save you time.

Resolving The Problem

Component: Topic: Overview

This topic contains error messages and common issues that require an OpenID Connect trace to determine the root cause of the problem. The instructions to obtain an OpenID Connect trace are in the 'Collecting data manually' section of the Collect data tab. If a trace string required for a specific problem is different than what is shown on the Collect data tab, the trace string will be noted in the steps to diagnose the problem. In the rest of this document, 'OpenID Connect' will be referred to as 'OIDC'.

 

How do I set up the Liberty OIDC feature?

For information on how to to set up your server to protect a resource using the Liberty OIDC feature, see the Knowledge Center articles in the following table:

Knowledge Center document link
General OpenID Connect
Client Configuring an OpenID Connect Client in Liberty
Provider Configuring an OpenID Connect Provider in Liberty


 

Where do I find the custom properties for the Liberty OIDC feature?

The custom properties for the Liberty OIDC feature can be found in the Knowledge Center, see the Knowledge Center documents in the following table:
 
Knowledge Center document link
Client openidConnectClient - OpenID Connect Client (openidConnectClient)
Provider openidConnectProvider - OpenID Connect Server Provider (openidConnectProvider)


 

Are there resources for learning OIDC for Liberty besides the Knowledge Center?

The following links are resources for learning about Liberty OpenID Connect outside the Liberty Knowledge Center.
 
Source
Link
DeveloperWorks Using OpenID Connect in WebSphere Application Server Liberty Profile
YouTube™ OpenID Connect on Liberty
IBM Advantage Blog WebSphere Liberty makes it easier to build OpenID Connect security services


 

How can I tell if a trace is from server startup?

IBM support requires that traces be gathered from server startup. If you want to make sure that your traces are gathered from server startup, check for the following string in your trace:
 
Search string
Full message
smarter planet CWWKF0011I: The server {0} is ready to run a smarter planet.


 

How do I find my OIDC client configuration in a trace?

If you have a trace from application server startup, you can find the raw OIDC feature properties by searching for the following string in an OIDC trace:

 
processProtectedString

For example:
 
[4/23/17 15:35:18:236 CST] 00000011 OidcClientCon > processProtectedString Entry
                                          {service.vendor=IBM, userIdentityToCreateSubject=upn, disableLtpaCookie=false, authnSessionDisabled=true, disableIssChecking=false, includeIdTokenInSubject=true, component.id=283, config.displayId=openidConnectClient[XXYYZ], httpsRequired=true, uniqueUserIdentifier=uniqueSecurityName, clockSkew=300000, includeCustomCacheKeyInSubject=true, reAuthnCushion=0, tokenEndpointAuthMethod=post, component.name=com.ibm.ws.security.openidconnect.client.oidcClientConfig, service.pid=com.ibm.ws.security.openidconnect.client.oidcClientConfig_33, signatureAlgorithm=RS256, validateAccessTokenLocally=true, clientId=c344530b-0c12-4b6c-a1ff-ff4afff192ff, reAuthnOnAccessTokenExpire=true, validationMethod=introspect, groupIdentifier=groupIds, jwkEndpointUrl=https://login.company.com/np.abc.com/discovery/keys, encodeParameters=true, hostNameVerificationEnabled=false, authorizationEndpointUrl=https://login.company.com/np.abc.com/oauth2/authorize, tokenEndpointUrl=https://login.company.com/np.abc.com/oauth2/token, config.overrides=true, config.id=com.ibm.ws.security.openidconnect.client.oidcClientConfig[XXYYZ], id=XXYYZ, inboundPropagation=none, scope=openid, config.source=file, isClientSideRedirectSupported=true, nonceEnabled=false, oidcclientRequestParameterSupported=true, realmIdentifier=realmName, initialStateCacheCapacity=3000, createSession=true, service.factoryPid=com.ibm.ws.security.openidconnect.client.oidcClientConfig, trustStoreRef=myTrustStore, grantType=implicit, issuerIdentifier=https://login.company.com/np.abc.com/, mapIdentityToRegistryUser=false, trustAliasName=trusted01}

The resolved properties will show up a little later in the trace. Example:
 
[4/23/17 15:35:18:331 CST] 00000011 OidcClientCon 3 id: XXYYZ
[4/23/17 15:35:18:331 CST] 00000011 OidcClientCon 3 grantType: implicit
[4/23/17 15:35:18:331 CST] 00000011 OidcClientCon 3 responseType:id_token token
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 scope: openid
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 clientId: c344530b-0c12-4b6c-a1ff-ff4afff192ff
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 redirectToRPHostAndPort: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 userIdentifier: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 groupIdentifier: groupIds
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 realmIdentifier: realmName
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 realmName: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 uniqueUserIdentifier: uniqueSecurityName
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 tokenEndpointAuthMethod: post
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 userIdentityToCreateSubject: upn
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 mapIdentityToRegistryUser: false
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 oidcclientRequestParameterSupported: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 validateAccessTokenLocally: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 disableLtpaCookie:false
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 trustAliasName: trusted01
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 httpsRequired: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 isClientSideRedirectSupported: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 nonceEnabled: false
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 sslRef: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 signatureAlgorithm: RS256
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 clockSkew: 300
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 authorizationEndpointUrl: https://login.company.com/np.abc.com/oauth2/authorize
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 tokenEndpointUrl: https://login.company.com/np.abc.com/oauth2/token
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 validationEndpointUrl: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 initialStateCacheCapacity: 3000
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 issuerIdentifier: https://login.company.com/np.abc.com/
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 trustStoreRef: myTrustStore
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 hostNameVerificationEnabled: false
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 includeIdTokenInSubject: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 includeCustomCacheKeyInSubject: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 authContextClassReference:
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 authFilterRef: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 authFilterId: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 jsonWebKey: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 jwkEndpointUrl: https://login.company.com/np.abc.com/discovery/keys
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 prompt: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 createSession: true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 inboundPropagation: none
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 validationMethod: introspect
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 headerName: null
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 authnSessionDisabled:true
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon 3 disableIssChecking:false
[4/23/17 15:35:18:332 CST] 00000011 OidcClientCon < processConfigProps Exit
[4/23/17 15:35:18:333 CST] 00000011 OidcClientCon > isValidConfig Entry
[4/23/17 15:35:18:333 CST] 00000011 OidcClientCon < isValidConfig Exit
true
[4/23/17 15:35:18:333 CST] 00000011 OidcClientCon > getId Entry
[4/23/17 15:35:18:333 CST] 00000011 OidcClientCon < getId Exit
XXYYZ
[4/23/17 15:35:18:333 CST] 00000011 OidcClientCon I CWWKS1700I: OpenID Connect client XXYYZ configuration successfully processed.
 

Will the OIDC RP use the JVM proxy settings?

The OpenId Connect RP does not make use of the proxy settings in the JVM (https.proxyHost, https.proxyPort, etc).


If you're using an outbound proxy, the OpenId Connect RP does not provide a means to route requests through a proxy host automatically:
  • If you must use a proxy to access the OpenId Connect Provider (OP), the value that you enter for any OP related URL property must contain the proxy host and port, not the external OP host and port.
  • In most cases, you just replace the OP host and port with the proxy host and port.
  • The URL that you enter must be visible to both the RP and the client (browser or application).
  • For further guidance on how to determine the correct URL to use, contact your proxy administrator.
 

How do you set up the Liberty OIDC OP for RS256?

Both the Liberty OpenID Connect RP and OP default to using HS256 (HMAC with SHA-256) for the signature algorithm. The OpenID Connect specification requires support of the RS256 (RSA Signature with SHA-256) algorithm. Support for the HS256 algorithm is not mandatory in the OpenID Connect specification and it is not supported by many OpenID Providers.


For instructions on how to update your Liberty OIDC OP to use RS256, see the Configuring an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens topic in the Knowledge Center.
 

How do you set up the Liberty OIDC RP for RS256?

Both the Liberty OpenID Connect RP and OP default to using HS256 (HMAC with SHA-256) for the signature algorithm. Your RP signature algorithm must match the OP's signature algorithm and many OPs do not support HS256. To update your Liberty OIDC RP to use RS256, do the following:

  1. Edit the server.xml for your OpenID Connect RP.
  2. To the openidConnectClient element, add the following attribute/value pair:
    signatureAlgorithm="RS256"
  3. Do at least one of the following:
    • If your OP supports a JWK endpoint, configure your RP to use it:
      • Add the following attribute to your openidConnectClient configuration:
        jwkEndpointUrl Specifies the OP's JWK endpoint URL.
    • Configure the RP to use a local key:
      • Add the following attributes to your openidConnectClient configuration:
        trustStoreRef The keystore containing the public key necessary for verifying the signature of the ID token.
        trustAliasName Key alias name to locate public key for signature validation with asymmetric algorithm. This is the public certificate of the OP's private key that was used to produce the signature.

Note:

This document uses the term WebSphere traditional to refer to WebSphere Application Server v9.0 traditional, WebSphere Application Server v8.5 full profile, WebSphere Application Server v8.0 and earlier, WebSphere classic, traditional WebSphere, traditional WAS and tWAS.
 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF014","label":"iOS"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"18.0.0.x;19.0.0.x","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 February 2020

UID

swg21998067