Fixes are available
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
PH29099: OIDC v1.3.1; OIDC RP: ClassNotFoundException for JsonUtil$DupeKeyDisallowingLinkedHashMap
PH39666: OIDC v1.3.2; OIDC RP: Initial login might fail when the OIDC stateId contains special characters
APAR status
Closed as program error.
Error description
The OIDC RP always emits a 401 in the browser when authentication fails. The OIDC RP should give the ability to redirect to an error page.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenId Connect * **************************************************************** * PROBLEM DESCRIPTION: Allow configuration of a login error * * url for OpenId Connect * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * includes this APAR. * **************************************************************** When using the OpenId Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), if user authentication fails and the OpenId Connect provider does not have its own error page, a 401 is displayed in the browser window. Administrators may want to take different actions to implement more user-friendly behavior.
Problem conclusion
The OIDC TAI is updated to allow an administrator to configure an error page to which to redirect when a login fails. This function only works if the OP redirects back to the RP on error. Not all OPs do this. Two new custom properties are added to the OIDC TAI: loginErrorUrl and sendOpErrorParamsToLoginErrorUrl. ======================= provider_<id>.loginErrorUrl Values: This property does not have a default value. Description: Specifies the URL to which the Relying Party should redirect when a login error is received from an OpenID Connect Provider. ======================= provider_<id>.sendOpErrorParamsToLoginErrorUrl Values: true false (the default) Description: When this property is set to true, the Relying Party will forward to the error URL, the error, error_description, and error_uri parameters that were received from the OpenID Connect Provider. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.17 and 9.0.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH15626
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-08-14
Closed date
2019-10-22
Last modified date
2019-10-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 December 2021