APAR status
Closed as program error.
Error description
When an id token or JWT is signed with a PS256 key, the following error is emitted: CWTAI2086E: The OIDC TAI failed to validate the ID token due to [JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.InvalidAlgorithmException: PS256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512]) The minimum Java version to use PS256 is 1.8.0_251.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * and OIDC * **************************************************************** * PROBLEM DESCRIPTION: The OIDC TAI is unable to validate a * * signature of a JWT that is signed with * * a * * PS256 key. * **************************************************************** * RECOMMENDATION: Install a fix pack or interim fix that * * contains this APAR. * **************************************************************** Although the Jose4 open source component that the OIDC TAI uses to process JWTs supports PS256, when the OIDC TAI sends a JWT that is signed with a PS256 key to Jose4j for signature validation, the following error occurs: org.jose4j.lang.InvalidAlgorithmException: PS256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512])
Problem conclusion
The constant that the IBM JDK uses for the RSA-PSS signature algorithm (RSAPSS) is different that of the standard Oracle JDK (RSASSA-PSS). When Jose4j queries for support of the RSA-PSS signature algorithm, it is looking for RSASSA-PSS, not RSAPSS. The OIDC TAI is updated for Jose4j to choose the RSAPSS algorithm when it encounters a JWT that is signed with a PS256 key. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.24 and 9.0.5.16. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH52459
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-02-08
Closed date
2023-02-22
Last modified date
2023-02-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
23 February 2023