APAR status
Closed as program error.
Error description
The getJwtClaimsAsMap method in the com.ibm.websphere.security.oidc.util.OidcClientHelper API might return a null if a when a valid JWT is passed to the method. A stack trace like the following can be observed. [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R java.lang.Exception: An error occurred when creating a claims map for the JWT [base64string]. [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.se curity.oidc.util.JSONUtil.getClaimsFromJwtAsMap(JSONUtil.java:9 95) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.se curity.oidc.util.OidcHelper.getJwtClaimsAsMap(OidcHelper.java:5 71) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.websp here.security.oidc.util.OidcClientHelper.getJwtClaimsAsMap(Oidc ClientHelper.java:402) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.company.CompanyJaas.login(CompanyJaas.java:176) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at sun.reflect.GeneratedMethodAccessor478.invoke(Unknown Source) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.ht tp.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLRea dCallback.java:88) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R Caused by: org.jose4j.lang.JoseException: Parsing error: org.jose4j.json.internal.json_simple.parser.ParseException: Unexpected token END OF FILE at position 421. [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.json.JsonUtil.parseJson(JsonUtil.java:66) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at com.ibm.ws.se curity.oidc.util.JSONUtil.getClaimsFromJwtAsMap(JSONUtil.java:9 89) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R ... 41 more [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R Caused by: org.jose4j.json.internal.json_simple.parser.ParseException: Unexpected token END OF FILE at position 421. [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.js on.internal.json_simple.parser.JSONParser.parse(JSONParser.java :257) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.js on.internal.json_simple.parser.JSONParser.parse(JSONParser.java :81) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.json.JsonUtil.parseJson(JsonUtil.java:62) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R ... 42 more
Local fix
String idTokenJwt = OidcClientHelper.getIdTokenFromSubject(); //get the encoded claims string String[] parts = idTokenJwt.split("\\."); String encClaims = parts[1]; //decode the claims byte [] bytes = java.util.Base64.getUrlDecoder().decode(enc Claims.getBytes(java.nio.charset.StandardCharsets.UTF_8)); String claims = new String(encClaims); //convert the claims to a map Map<String, Object> claimsMap = OidcClientHelper.json2map(claims);
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * OidcClientHelper.getJwtClaimsAsMap API * **************************************************************** * PROBLEM DESCRIPTION: OidcHelper.getJwtClaimsAsMap might * * return * * null even though the input JWT * * parameter * * is valid. * **************************************************************** * RECOMMENDATION: Install an interim fix or fix pack that * * contains this APAR. * **************************************************************** The com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtClai ms AsMap API might return null even though the input JWT parameter is valid.
Problem conclusion
The com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtClai msAsMap API is using a regular Base64 decoder to decode the claims in the JWT string. This works most of the time. However, JWTs are encoded using a Base64 URL encoder, not a regular Base64 decoder. Therefore, a Base64 URL decoder must be used to decode a JWT claims string. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.25 and 9.0.5.19. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH58024
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-06
Closed date
2023-11-14
Last modified date
2023-11-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
28 November 2023