Fix (APAR): PH49566 Status: Fix Release: 8.5.5.22,8.5.5.21,8.5.5.20,8.5.5.19,8.5.5.18,8.5.5.17,8.5.5.16,8.5.5.15,8.5.5.14,8.5.5.13,8.5.5.12,8.5.5.11,8.5.5.10,8.5.5.9,8.5.5.8,8.5.5.7,8.5.5.6,8.5.5.5,8.5.5.4,8.5.5.3 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PI23430 PI25298 PI25681 PI33449 PI37687 PI47460 PI52604 PI55697 PI56331 PI59831 PI63906 PI64573 PI64924 PI65751 PI73318 PI74857 PI75095 PI78336 PI80543 PI80549 PI80317 PI82308 PI84244 PI86752 PI87354 PI88253 PI88896 PI90373 PI92210 PI92332 PI94538 PI96403 PI96508 PH00569 PH02192 PH03525 PH07297 PH08804 PH10503 PH10892 PH11107 PH11684 PH12520 PH13175 PH14676 PH15248 PH15626 PH17304 PH18150 PH19189 PH19333 PH19907 PH20118 PH21008 PH21178 PH21611 PH21827 PH22038 PH22195 PH22621 PH23572 PH23697 PH24737 PH25547 PH25697 PH25774 PH26523 PH26925 PH27173 PH27213 PH27827 PH27971 PH28253 PH28386 PH28534 PH29099 PH30368 PH30911 PH31682 PH32257 PH33170 PH34227 PH34840 PH35185 PH35481 PH36335 PH39666 PH39847 PH40532 PH40533 PH43169 PH44467 PH44692 PH45044 PH45297 PH45740 PH46324 PH46408 PH47272 PH47482 CMVC Defect: xxxxxx Byte size of APAR: 4494531 Date: 2022-09-21 Abstract: oidc: cwtai2047e when more than one key without alg claim in jwk Description/symptom of problem: PH49566 resolves the following problem: ERROR DESCRIPTION: When the OpenID Connect (OIDC) Trust Association Interceptor (TAI) attempts to process a JWK that contains more than one key that do not contain an "alg" claim, an error similar to the following error is found in the logs: CWTAI2047E: No key was found to verify the signature. The signature algorithm is [RS256]. The JWT [kid] claim value is [YOURKID] and the [x5t] claim value is [YOURX5T]. The [jwkEndpointUrl] is [https://acme.com/jwk.jwks]. The [signVerifyAlias] property value is [ALIAS]. This issue happens after installing fix pack 9.0.5.13. LOCAL FIX: NONE PROBLEM SUMMARY USERS AFFECTED: All users of IBM WebSphere Application Server and OIDC PROBLEM DESCRIPTION: OIDC TAI CWTAI2047E error when more than one key in JWK with no "alg" claim. RECOMMENDATION: Install a fix pack or interim fix that contains this APAR. When the OpenID Connect (OIDC) Trust Association Interceptor (TAI) attempts to process a JWK that contains more than one key that do not contain an "alg" claim, a CWTAI2047E error might occur. PROBLEM CONCLUSION: The OIDC TAI is updated to allow for keys with no "sig" claim in JWK. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.23 and 9.0.5.14. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 Directions to apply fix: NOTE: Mark with an X the: 1) Release the fix applies to 2) The Editions that apply 3) And then DELETE THIS NOTE Fix applies to Editions: Release 8.5 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Liberty Core __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: