PH10892: OIDC RP HAS NO API FOR OBTAINING TOKENS OR MANUALLY TRIGGERING ACCESS TOKEN REFRESH

Fixes are available

APAR status

Closed as program error.

Error description

Although you can programmatically obtain, from the runAs
Subject, the token information associated with OpenID Connect,
there are no easy to use APIs to obtain this information.  There
are also no APIs that can be used to trigger operations, such
as refreshing an expired access token or obtaining the latest
user information from the OpenID provider.

Local fix

```
n/a
```

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OpenID Connect                              *
****************************************************************
* PROBLEM DESCRIPTION: The OIDC RP does not have methods to    *
*                      programmatically obtain tokens or       *
*                      perform operations.                     *
****************************************************************
* RECOMMENDATION:  Install a fix pack or interim fix that      *
*                  contains this APAR.                         *
****************************************************************
The OpenID Connect Relying Party does not have APIs available
to obtain its ID token, access token and other associated
information from the runAs Subject.

Problem conclusion

The following utility class is added to the OpenID Connect
(OIDC) Relying Party:

com.ibm.websphere.security.oidc.util.OidcClientHelper

This class can be found in the following jars:

(washome)/plugins/com.ibm.ws.security.oidc.client.jar
(washome)/dev/was_public.jar

The following methods are available in the new class:

public static String getIdTokenFromSubject();
public static String getAccessTokenFromSubject();
public static String getRefreshTokenFromSubject();
public static String getTokenTypeFromSubject();
public static String getUserInfoFromSubject();
public static String getValidAccessToken();
public static String getUserInfoFromServer();
public static Subject getRunAsSubject();


Following is the javadoc for the new methods:

/**
* Retrieve the ID token from the current runAs Subject.
*
* @return JSON String representation of the ID token or null
* if there is no ID token on the Subject
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getIdTokenFromSubject();


/**
* Retrieve the access token from the current runAs Subject.
*
* @return JSON String representation of the Access token or
* null if there is no access token on the Subject
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getAccessTokenFromSubject();


/**
* Retrieve the refresh token from the current runAs Subject.
*
* @return JSON String representation of the refresh token or
* null if there is no refresh token on the Subject
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getRefreshTokenFromSubject();


/**
* Retrieve the token type from the current runAs Subject.
*
* @return The token type or null if there is no token type on
* the Subject
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getTokenTypeFromSubject();


/**
* Retrieve the scope of the access token from the current runAs
* Subject.
*
* @return The scope of the access token or null if there is no
* scope on the Subject
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getScopeFromSubject();


/**
* Retrieve the userInfo associated with the access token from
* the current runAs Subject.
*
* If there is a userinfoEndpointUrl configured for the access
* token on the Subject, this method will return the userInfo
* associated with the access token.
*
* @return The userInfo associated with the access token or null
* if there is no userInfo on the Subject
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getUserInfoFromSubject();


/**
* Retrieve a valid access token based on the access token in
* the current runAs Subject.
*
* A null value will be returned in the following instances:
*
* Trust Association is not enabled.
* The OIDC RP TAI is not configured and successfully initialized
* There is no access token on the runAs Subject.
* There are any errors while attempting to obtain the OIDC
*   session data associated with the access token on the runAs
*   Subject.
* The access token on the runAs Subject has expired and there
*   is no refresh token associated with the access token.
* The access token on the runAs Subject has expired and any
*   error occurs while attempting to refresh the token.
* The access token on the runAs Subject has expired and any
*   error occurs while updating the OIDC session data.
*
* If the access token retrieved from the runAs subject has
* expired and is successfully refreshed, the following will be
* updated with the new access token:
*
* Its associated OIDC session data
* The runAs Subject
*
* This method will only throw an exception if errors occur
* related to the initial processing of the runAs Subject.
*
* If an error occurs after information has been retrieved from
* the runAs Subject, an FFDC entry will be created, but the
* exception will not be emitted by this method and the method
* will return null in most cases.  If the access token has been
* refreshed, but the runAs Subject cannot be updated, an FFDC
* will be emitted and the method will return the new access
* token.
*
* If there is a userinfoEndpointUrl configured for the access
* token, the user info will also be refreshed.
*
* @return JSON String representation of a valid access token or
* null if the conditions listed above are true.
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getValidAccessToken();


/**
* Retrieve the userInfo for the associated with the access
* token from the configured userinfoEndpointUrl.  A null value
* will be returned in the following instances:
*
* Trust Association is not enabled.
* The OIDC RP TAI is not configured and successfully
*   initialized
* There is no access token on the runAs Subject.
* There are any errors while attempting to obtain the OIDC
*   session data associated with the access token on the runAs
*   Subject.
* There is no userinfoEndpointUrl configured for the access
*   token on the runAs Subject.
* If the access token on the runAs Subject has expired, any
*   errors occur when attempting to refresh the access token.
* An error occurred while obtaining the user info from the
*   user info endpoint.
*
* If the user info is successfully retrieved server, the
* following will be updated with the new user info:
*
* Its associated OIDC session data
* The runAs Subject
*
* @return The userInfo retrieved from the server for the
* associated with the access token or null in the cases
* outlined above.
*
* @throws Exception if an error occurs either while obtaining
* the runAs Subject or accessing the private credentials.
*/

public static String getUserInfoFromServer();


/**
* getRunAsSubject returns a JAAS subject that represents the
* RunAs identity.
*
* @return A JAAS subject that represents the RunAs identity.
*
* @throws Exception if an error occurs while obtaining the
* runAs Subject
*/

public static Subject getRunAsSubject();


The fix for this APAR is currently targeted for inclusion in
fix pack 8.5.5.16 and 9.0.5.0.  Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PH10892
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-04-10
Closed date
2019-06-19
Last modified date
2019-06-19

APAR is sysrouted FROM one or more of the following:

PH09691
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R850 PSY
UP
R900 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 April 2022

Tips

PH10892: OIDC RP HAS NO API FOR OBTAINING TOKENS OR MANUALLY TRIGGERING ACCESS TOKEN REFRESH

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R850 PSY

R900 PSY

Document Information

Share your feedback

Need support?