Fix (APAR): PH39666 Status: Fix Release: 9.0.5.10 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PI59831 PI63906 PI64573 PI64924 PI65751 PI73318 PI74857 PI75095 PI78336 PI80543 PI80549 PI80317 PI82308 PI84244 PI86752 PI87354 PI88253 PI88896 PI90373 PI92210 PI92332 PI94538 PI96403 PI96508 PH00569 PH02192 PH03525 PH07297 PH08804 PH10503 PH10892 PH11107 PH11684 PH12520 PH13175 PH14676 PH15248 PH15626 PH17304 PH18150 PH19189 PH19333 PH19907 PH20118 PH21008 PH21178 PH21611 PH21827 PH22038 PH22195 PH22621 PH23572 PH23697 PH24737 PH25547 PH25697 PH25774 PH26523 PH26925 PH27173 PH27213 PH27514 PH27827 PH27971 PH28253 PH28386 PH28534 PH29099 PH30368 PH30911 PH31682 PH32257 PH33170 PH34227 PH34840 PH35185 PH35481 PH39847 PH40532 PH40533 CMVC Defect: xxxxxx Byte size of APAR: 3952027 Date: 2021-12-16 Abstract: OIDC RP initial login may fail when OIDC stateId name contains special characters Description/symptom of problem: PH39666 resolves the following problem: ERROR DESCRIPTION: When an application is protected by the OpenID Connect Relyint Party, an error like the following may occur upon initial login: SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Cookie name "OIDCSTATE_BxEIAQzE+axNDRKbJvxvBGIcN8YrylsxeE4bFpeAfeA=_16272857 85897" is a reserved token]. Check the logs for details that lead to this exception. at com.ibm.ws.security.oidc.client.RelyingParty.initiateLogin(Rely ingParty.java:592) at com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidatean dEstablishTrust(RelyingParty.java:366) at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablish edTrust(TAIWrapper.java:103) at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation( WebAuthenticator.java:439) ... -or- CWTAI2030I: The OpenID Connect TAI was unable to retrieve the request data with stateId [ThgkXKF1H4QGyBuHYGyn65ffJCoZUnawsBRTR861RsU%3D_1636053405653] from the state map. It may have expired. -or- CWTAI2019E: The state id [sS2cjek8eI1Ep9H+ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] in the OpenID Connect relying party (RP) state cookie [OIDCSTATE_rp1] does not match the state id [sS2cjek8eI1Ep9H ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] received from the OpenID Connect provider. LOCAL FIX: PROBLEM SUMMARY: USERS AFFECTED: All users of IBM WebSphere Application Server and the OIDC RP PROBLEM DESCRIPTION: OIDC initial login may fail when the OIDC stateId contains special characters RECOMMENDATION: Install a fix pack or interim fix that contains this APAR. When an application is protected by the OpenID Connect Relyint Party, an error like the following may occur upon initial login: SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect relying party (RP) encountered a failure during the login. The exception is [Cookie name "OIDCSTATE_BxEIAQzE+axNDRKbJvxvBGIcN8YrylsxeE4bFpeAfeA=_16272857 85897" is a reserved token]. Check the logs for details that lead to this exception. This error only occurs when the provider_(id).useJavaScript OIDC TAI property is set to false. You may also observe an error like one of the following regardless of the useJavaScript setting: CWTAI2030I: The OpenID Connect TAI was unable to retrieve the request data with stateId [ThgkXKF1H4QGyBuHYGyn65ffJCoZUnawsBRTR861RsU%3D_1636053405653] from the state map. It may have expired. CWTAI2019E: The state id [sS2cjek8eI1Ep9H+ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] in the OpenID Connect relying party (RP) state cookie [OIDCSTATE_rp1] does not match the state id [sS2cjek8eI1Ep9H ua//a94hDmG1/SeXxL8SDtym2VQ=_1633426286881] received from the OpenID Connect provider. PROBLEM CONCLUSION: The OIDC RP is creating stateIds that contains special character that may be token separators as defined by https://datatracker.ietf.org/doc/html/rfc2616#section-2.2 The stateId is used as part of the extension of the OIDCSTATE_* cookie name that is written to the browser. The OIDC RP is updated to ensure that stateIds do not contain special characters that include token separators. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.11. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: