Fixes are available
APAR status
Closed as program error.
Error description
When the OpenID Connect TAI is configured with useJwtFromRequest=ifPresent, and an opaque token is sent in the Authorization header of an HTTP request, the user will always be redirected to the OpenID provider for interactive login. If an introspection endpoint is configured, the OIDC RP should attempt to validate the opaque token via the introspection endpoint.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * OpenID Connect * **************************************************************** * PROBLEM DESCRIPTION: OIDC TAI is not sending token to OP * * for introspection when configured * * with useJwtFromRequest=ifPresent. * **************************************************************** * RECOMMENDATION: Insteall a fix pack or interim fix that * * contains this APAR. * **************************************************************** The provider_<id>.useJwtFromRequest OpenID Connect (OIDC) Trust Association Interceptor (TAI) custom property is defined as: "This property controls processing if a JWT is found in the request authorization header." One of the supported values for the useJwtFromRequest property is ifPresent. The ifPresent value is described as: "Use a JWT if one is present. If a JWT is missing or invalid, fall back to using the OpenID Connect provider for authentication, if one is configured." However, when the TAI is configured for introspection and a request is processed by the TAI that contains a token on the Authorization header that is not a JWT, instead of sending the token to the OpenID provider's introspection endpoint, the TAI will redirect the request to the OpenID provider's interactive login page.
Problem conclusion
The OIDC TAI is updated so that, when an introspection endpoint is configured, it will *not* attempt introspection for a token from the Authorization header in the following cases: 1. useJwtFromRequest=required 2. useJwtFromRequest=ifPresent and the token on the Authorization header is a JWT The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18 and 9.0.5.5. For more information, see 'Recommended Updates for WebSphere Application Server': http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH25547
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-05-19
Closed date
2020-06-30
Last modified date
2020-09-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
06 December 2021