IBM Support

PH47272: OIDC: DYNAMICALLY CHOOSE SIGATURE ALGORITHM INSTEAD OF REQUIRING A FIXED VALUE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • With the OpenID Connect (OIDC) Trust Association Interceptor
(TAI), you currently must to hardcode the signature algorithm
that is used to validate the ID token for the OIDC relying
party (RP) or the JWT for JWT Authentication.  This causes
usability problems with users, especially with the RP, which is
defaulting to the less-used HS256 algorithm.

The signature algorithm used to sign the token is in the
object header.  The OIDC TAI should be able to use this
signature algorithm for verification.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
*                  and the OIDC TAI.                           *
****************************************************************
* PROBLEM DESCRIPTION: The OIDC TAI requires that you hardcode *
*                      the signature algorithm that is used to *
*                      verify tokens.                          *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  includes this APAR.                         *
****************************************************************
The OIDC requires that you hardcode the
provider_(id).signatureAlgorithm property. This causes
usability problems with users, especially with the RP, which is
defaulting to the less-used HS256 algorithm.
This scheme also requires code update each time a new signature
algorithm is required.

    



Problem conclusion


    

  • The OIDC TAI is updated to dynamically choose the signature
algorithm that is used to verify the ID token and JWT signature
based on the header in the token.  This is controlled by setting
signatureAlgorithm to HEADER.  The default setting for the
provider_(id).signatureAlgorithm property is updated to be
HEADER.

As part of this APAR, an allow list and deny list are be added
to give the administrator the option of using the algorithm in
the header, but disallowing a set of algorithms, or only
allowing a specific set of algorithms.

Because HS256 is not secure, in most cases, HS256 is added to
the deny list by default.

===================
Updated properties:

==============================
provider_(id).signatureAlgorithm

Values:
none
HS256
RS256
RS512
HEADER (default)

Description:
Specifies the algorithm that is used to secure messages from the
OpenID Connect provider.  When this property is set to HEADER,
the value is obtained from the header of each inbound token.

==============================
provider_<id>.discoveryEndpointUrl

The signatureAlgorithm property is no longer in the list of
properties obtained from the discovery result.

===============
New properties:

==============================
provider_(id).signatureAllowList

Values:
You can specify a comma-separated list of signature algorithms.
This property does not have a default value.

Description:
Specifies a comma separated list of signature algorithms that
are allowed to secure messages from the OpenID Connect provider.
If the provider_(id).signatureAlgorithm property is set to a
value other than HEADER, this property is ignored.  A value
cannot be provided for both this property and the
provider_(id).signatureDenyList property.  This list can include
any value that is supported by the jose4j open source project
except HS256.  Besides ensuring that the HS256 signature
algorithm is not in the list, the values for this property are
not validated by the OIDC TAI.

==============================
provider_(id).signatureDenyList

Values:
You can specify a comma-separated list of signature algorithms.
See the description for the default value.

Description:
Specifies a comma separated list of signature algorithms that
are not allowed to secure messages from the OpenID Connect
provider.  If the provider_(id).signatureAlgorithm property is
set to a value other than HEADER, this property is ignored.  A
value cannot be provided for both this property and the
provider_(id).signatureAllowList property.  This list can
include any value that is supported by the jose4j open source
project and the values are not validated by the OIDC TAI.

The HS256 algorithm is not secure and we want to disallow it by
default.  However, since the default for the OIDC RP was
originally HS256, but it is now HEADER, this property cannot
be defaulted to HS256 absolutely.

If the configured list does not include HS256, HS256 is added to
the list if any of the following conditions are true:

* The provider_(id).useJwtFromRequest property is set to
required.
* The provider_(id).signatureAlgorithm property is set to
HEADER.
* Discovery is in use and HS256 is the only value for the
id_token_signing_alg_values_supported claim in the OP's
discovery result.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.23 and 9.0.5.13. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH47272
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-06-16
    • 

  • Closed date
    2022-06-28
    • 

  • Last modified date
    2023-01-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 January 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback