Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
PH52459: OIDC emits a CWTAI2086E error when a JWT is signed with a PS256 key
Download Description
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIXThis fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
PH52459 resolves the following problem:
ERROR DESCRIPTION:
ERROR DESCRIPTION:
When an id token or JWT is signed with a PS256 key, the following error is emitted:
| CWTAI2086E: The OIDC TAI failed to validate the ID token due to [JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.InvalidAlgorithmException: PS256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512]) |
The minimum Java version to use PS256 is 1.8.0_251.
PROBLEM CONCLUSION:
The constant that the IBM JDK uses for the RSA-PSS signature algorithm (RSAPSS) is different that of the standard Oracle JDK (RSASSA-PSS). When Jose4j queries for support of the RSASSA-PSS signature algorithm, it is looking for RSASSA-PSS, not RSAPSS.
The OIDC TAI is updated for Jose4j to choose the RSAPSS algorithm when it encounters a JWT that is signed with a PS256 key.
The fix for PH52459 is targeted for inclusion in fix pack 8.5.5.24 and 9.0.5.16. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIXThis fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Problems Solved
PH52459
Off
Document Location
Worldwide
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.0;9.0.5"}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
14 November 2023
UID
ibm17002939