Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
OIDC TAI Version v1.5.1; PH58024: OIDC getJwtClaimsAsMap API might return null although JWT is valid
Download Description
![image-20230610105140-2](/support/pages/system/files/inline-images/image-20230610105140-2.png)
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
PH58024 resolves the following problem:
ERROR DESCRIPTION:
The getJwtClaimsAsMap method in the com.ibm.websphere.security.oidc.util.OidcClientHelper API might return a null if a when a valid JWT is passed to the method. A stack trace like the following can be observed:
[10/5/23 9:46:07:862 AST] 000001e4 SystemErr R java.lang.Exception: An error occurred when creating a claims map for the JWT [base64string]. [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.security.oidc.util.JSONUtil.getClaimsFromJwtAsMap(JSONUtil.java:995) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.security.oidc.util.OidcHelper.getJwtClaimsAsMap(OidcHelper.java:571) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtClaimsAsMap(OidcClientHelper.java:402) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.company.CompanyJaas.login(CompanyJaas.java:176) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at sun.reflect.GeneratedMethodAccessor478.invoke(Unknown Source) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909) [10/5/23 9:46:07:862 AST] 000001e4 SystemErr R Caused by: org.jose4j.lang.JoseException: Parsing error: org.jose4j.json.internal.json_simple.parser.ParseException:Unexpected token END OF FILE at position 421. [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.json.JsonUtil.parseJson(JsonUtil.java:66) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at com.ibm.ws.security.oidc.util.JSONUtil.getClaimsFromJwtAsMap(JSONUtil.java:989) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R ... 41 more [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R Caused by:org.jose4j.json.internal.json_simple.parser.ParseException:Unexpected token END OF FILE at position 421. [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.json.internal.json_simple.parser.JSONParser.parse(JSONParser.java:257) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.json.internal.json_simple.parser.JSONParser.parse(JSONParser.java:81) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R at org.jose4j.json.JsonUtil.parseJson(JsonUtil.java:62) [10/5/23 9:46:07:863 AST] 000001e4 SystemErr R ... 42 more |
WORKAROUND:
You can get the claims from the token and use the URL decoder to decode the claims yourself, then use OidcClientHelper.json2map to convert the decoded claims string into a Map. For example:
String idTokenJwt = OidcClientHelper.getIdTokenFromSubject();
//get the encoded claims string
String[] parts = idTokenJwt.split("\\.");
String encClaims = parts[1];
//decode the claims
byte [] bytes =
jva.util.Base64.getUrlDecoder().decode(encClaims.getBytes(java.n
io.charset.StandardCharsets.UTF_8));
String claims = new String(encClaims);
//convert the claims to a map
Map<String, Object> claimsMap =
OidcClientHelper.json2map(claims);
PROBLEM CONCLUSION:
The com.ibm.websphere.security.oidc.util.OidcClientHelper.getJwtClaimsAsMap API is using a regular Base64 decoder to decode the claims in the JWT string. This works most of the time. However, JWTs are encoded using a Base64 URL encoder, not a regular Base64 decoder. Therefore, a Base64 URL decoder must be
used to decode a JWT claims string.
used to decode a JWT claims string.
The fix for PH50824 is targeted for inclusion in fix pack 8.5.5.25 and 9.0.5.19. Refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
![image-20230610105140-2](/support/pages/system/files/inline-images/image-20230610105140-2.png)
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Problems Solved
PH58024
Change History
2023-12-15: Add fix file for 9.0.5.18.
2024-03-25: Deprecate and remove fix files.
Off
Document Location
Worldwide
[{"Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdESAA0","label":"Security-\u003ESSO-\u003EOpenId Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.0;9.0.5"}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
04 April 2024
UID
ibm17069520