Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
OIDC RP default identifiers are not available when customs are configured.
Download Description
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
ERROR DESCRIPTION:
In the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI), the user name must exist in only one claim in every JWT. Either the default claim (sub) or an identifier for the custom claim must be configured.
If most of the JWTs received by the RP contain the sub claim, but only a few don't, the OIDC RP will not operate properly. The administrator must make sure that all his OPs are standardized to meet the consistent claim requirement. This may not be possible for some administrators.
PROBLEM CONCLUSION:
The OIDC RP is updated to allow the TAI to use either the default or a custom identifier for user, unique user, group, or realm.
The following property is added to the OIDC RP TAI custom properties:
Property | Values | Description |
provider_<id>.useDefaultIdentifierFirst | true, false (default) | Specifies that, if a custom identifier is specified for the user (userIdentifier), unique user (uniqueUserIdentifier), group (groupIdentifier), or realm (realmIdentifier), the custom value will only be used if the default value does not exist in the token. For example, if useDefaultIdentifierFirst=true and userIdentifier=username, for a JWT that contains sub=user1 and username=user2, the resolved user name would be user1. If useDefaultIdentifierFirst=false, the resolved user name would be user2. |
The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.16 and 9.0.0.12. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.
Installation Instructions
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
11 July 2019
UID
ibm10875512