WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

problems with OIDC authorization scopes

  • 1.  problems with OIDC authorization scopes

    Posted Tue April 29, 2025 09:34 AM

    Dear community members,

    since a few years I'm successfully using OIDC with the scope "provider_1.scope = openid".
    Now I have added 3 authorization scopes "authorization_group entitlement_group scoped_entitlement" to the scope-property of the com.ibm.ws.security.oidc.client.RelyingParty:

    But now the method "com.ibm.websphere.security.oidc.util.OidcClientHelper.getUserInfoFromSubject(<subj>)" throws an error: 

    USERINFO_NOT_VALID: [CWTAI2088E: The OIDC TAI cannot verify the response from the UserInfo endpoint, . CWTAI2089E: The response is not in JSON format. Failed to parse JSON string....

    But the response from the UserInfos seems to be in correct JSON Format. I can see it in the log:

    SourceId: com.ibm.ws.security.oidc.client.SessionData.setUserInfo returns [{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}]

    Furthermore the method "com.ibm.websphere.security.oidc.util.OidcClientHelper.getScopeFromSubject(<subj>)" returns null.

    How can I get the scope from the response? Is this a known problem? I'm running Websphere Application Server traditional Version 9.0.5.17

    Thank you in advance
    Ulrich



    ------------------------------
    Ulrich Haverkamp
    ------------------------------


  • 2.  RE: problems with OIDC authorization scopes

    Posted Wed April 30, 2025 07:41 AM

    Hello Ulrich, 

    I think problem with value of scope properties. 

    provider_<id>.scope By default, this property is set to the value of openid profile. Specifies the scope of the token that is requested from the OpenID Connect Provider. This property determines the level of authorization the issued token would have. For example: openid general.

    CWTAI2089E: The response is not in JSON format. {0}
    Explanation The OIDC TAI received a response that is not in JSON format from an endpoint that is required to respond with a JSON string.
    Action Perform the following actions: 1) Make sure that you set the correct endpoint in the OIDC TAI properties, 2) Make sure that your OpenID provider returns a value that is a valid JSON string.
    https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes


    ------------------------------
    Ajit Jariwala
    ------------------------------

    Original Message


  • 3.  RE: problems with OIDC authorization scopes

    Posted Wed April 30, 2025 08:40 AM

    Hello Ajit

    thank you for your response.

    My OpenID-provider provides the wanted information about sub and entitlement_group. I can see it in a few log-messages. For example:

    SourceId: com.ibm.ws.security.oidc.client.SessionData.setUserInfo returns [{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}]

    Currently I suppose that there is an error in the implementation of the OidcClientHelper-class. Today in the morning I found an iFix that maybe fits my problem:

    https://www.ibm.com/support/pages/apar/PH65119



    I will ask my data center whether it's possible to install this iFix in our DEV-environment.

    Thanky you Ulrich



    ------------------------------
    Ulrich Haverkamp
    ------------------------------

    Original Message


  • 4.  RE: problems with OIDC authorization scopes

    Posted Fri May 02, 2025 08:59 AM

    > Currently I suppose that there is an error in the implementation of the OidcClientHelper-class. Today in the morning I found an iFix that maybe fits my problem:

    > https://www.ibm.com/support/pages/apar/PH65119

    Hi Ulrich, your error doesn't quite match PH65119.  I don't see the IllegalStateException that jose4j  emits.  Was that in the message but you didn't paste it here?

    When you look at an OIDC trace, do you see that the runtime is attempting to process the user info output as a JWT? (As opposed to a regular JSON)

    Do you have PH60195 installed?  You can find it if you search the trace for getVersion and see 1.5.3 as the version.  This fix brings you up to at least the OIDC runtime that is in 9.0.5.20.  It doesn't contain PH65119, nor is it as far forward as moving up to 9.0.5.23, but it is better than 9.0.5.17.

    Also, if you can write an IBM support ticket, I can produce an ifix for PH65119 for you.



    ------------------------------
    Barbara Jensen
    ------------------------------

    Original Message


  • 5.  RE: problems with OIDC authorization scopes

    Posted Mon May 05, 2025 11:42 AM

    Hi Barbara
    thank you for your help :-) Ib the following you can see my answers to yout questions:

    1.
    The Version 1.5.2 is installed
      SourceId: com.ibm.ws.security.oidc.client.RelyingParty.getVersion returns [1.5.2]


    2.
    PH60195 is installed. Here is the list of iFixes:
      ExtendedMessage: BBOJ0138I: THE SERVER HAS THE FOLLOWING INTERIM FIXES INSTALLED IN THE RUNTIME: 9.0.0.0-WS-WASProd-IFPH60195(PH00569,PH02192,PH03525,PH07297,PH08804,PH10503,PH10892,PH11107,PH11684,PH12520,PH13175,PH14676,PH15248,PH15626,PH17304,PH18150,PH19189,PH19333,PH19907,PH20118,PH21008,PH21178,PH21611,PH21827,PH22038,PH22195,PH22621,PH23572,PH23614,PH23697,PH24737,PH25547,PH25697,PH25774,PH26523,PH26925,PH27173,PH27213,PH27514,PH27827,PH27971,PH28253,PH28386,PH28534,PH29099,PH30118,PH30368,PH30911,PH31682,PH32257,PH33170,PH34227,PH34840,PH35185,PH35481,PH36335,PH39666,PH39847,PH40532,PH40533,PH43169,PH44467,PH44692,PH45044,PH45297,PH45740,PH46324,PH46408,PH47272,PH47482,PH48083,PH49279,PH49566,PH51485,PH52459,PH52683,PH55042,PH55077,PH58024,PH60195,PI55697,PI59831,PI63906,PI64573,PI64924,PI65751,PI73318,PI74857,PI75095,PI78336,PI80317,PI80543,PI80549,PI82308,PI84244,PI86752,PI87354,PI88253,PI88896,PI90373,PI92210,PI92332,PI94538,PI96403,PI96508),9.0.0.7-WS-WAS-IFPH61504(PH61504),9.0.5.15-WS-WAS-OS39064-IFPH61808(PH58869,PH59304,PH59682,PH61068,PH61385,PH61808),9.0.5.7-WS-WAS-IFPH61489(PH61489)

    3.

    It seems to me that the userinfo will be processed as JWT:
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.client.RelyingPartyUtils.processUserInfo (userinfo[{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}], idtoken[com.ibm.ws.security.oidc.client.Payload], rpConfig[null])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.client.RelyingPartyUtils.getUserInfoString (userinfo[{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.isJwtFormat(tokenString[{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.isJwtFormat returns [true]
      ExtendedMessage: Exit
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.getClaimsFromJwtAsString(jwtString[{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.isJwtFormat(tokenString[{"sub":"ULRHAV","entitlement_group":["testrole","administrator"],"app_id":"ABCDE"}])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.isJwtFormat returns [true]
      ExtendedMessage: Exit
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.decode(encInput[testrolle1","ZEM])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.decode returns [µë-®‰e{VD]
      ExtendedMessage: Exit
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.getClaimsFromJwtAsString returns [µë-®‰e{VD])
      ExtendedMessage: Exit
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.client.RelyingPartyUtils.getUserInfoString returns [µë-®‰e{VD])
      ExtendedMessage: Exit
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.client.RelyingPartyUtils.isUserInfoValid (userinfo[µë-®‰e{VD], idtoken[com.ibm.ws.security.oidc.client.Payload], rpConfig[null])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.isJsonString(inString[µë-®‰e{VD])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil.getJsonObject(data[µë-®‰e{VD])
      ExtendedMessage: Entry
    Trace: 2025/04/25 17:53:31.320 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil
      ExtendedMessage: Failed to parse the JSON string, exception [com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 8]
    Trace: 2025/04/25 17:53:31.321 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.util.JSONUtil
      ExtendedMessage: CWTAI2089E: The response is not in JSON format. Failed to parse JSON string [com.google.gson.JsonSyntaxException: com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 8]
    Trace: 2025/04/25 17:53:31.321 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.client.RelyingPartyUtils
      ExtendedMessage: The user info is not valid so it will not be stored.
    Trace: 2025/04/25 17:53:31.321 02 t=9AB840 c=UNK key=P8 tag= (13007004)
      SourceId: com.ibm.ws.security.oidc.client.RelyingPartyUtils.processUserInfo returns [USERINFO_NOT_VALID: [CWTAI2088E: The OIDC TAI cannot verify the response from the UserInfo endpoint, . CWTAI2089E: The response is not in JSON format. Failed to parse JSON string [com.google.gson.JsonSyntaxException: com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 8]]])
      ExtendedMessage: Exit

    4.

    I also don't see an IllegalStateException emitted by jose4j

    Thank you Ulrich



    ------------------------------
    Ulrich Haverkamp
    ------------------------------

    Original Message


  • 6.  RE: problems with OIDC authorization scopes

    Posted Fri May 02, 2025 09:10 AM

    Hi Ulrich, if you don't care about the userInfo, you can set the provider_1.userinfoEndpointEnabled property to false.  When you set this property/value, the OIDC runtime does not go to the OP for the userInfo data.



    ------------------------------
    Barbara Jensen
    ------------------------------

    Original Message


  • 7.  RE: problems with OIDC authorization scopes

    Posted Mon May 05, 2025 11:48 AM

    Hi Barbara

    I need the information about the Login-Userid and the entitlementgroups. As far as I know these informations are part of the userinfo, or am I wrong?

    Or is there another way to get these data from the OP-response?

    By the way:
    Our datacenter will download the PH65119 from IBM and install it. I'm not authorized to do it


    Thank you Ulrich



    ------------------------------
    Ulrich Haverkamp
    ------------------------------

    Original Message


  • 8.  RE: problems with OIDC authorization scopes

    Posted Mon May 05, 2025 12:31 PM
    Edited by Barbara Jensen Mon May 05, 2025 12:34 PM

    Hi Ulrich, yes, the information that you are looking for is most likely in the user info.  However, it should also be in the idToken (or access token if you are using JWT authentication), which is also available to access via the OidcClientHelper APIs.


    Also, I see this entry in your pasted trace snip:

    com.ibm.ws.security.oidc.util.JSONUtil.isJwtFormat returns [true]

    This tells me that the APAR previously mentioned, PH65119, should fix your userinfo problem.


    ------------------------------
    Barbara Jensen
    ------------------------------

    Original Message


  • 9.  RE: problems with OIDC authorization scopes

    Posted Fri May 16, 2025 10:51 AM

    Hi Barbara

    I would just like to inform you that my problem has been solved with this APAR :-)

    Thank you



    ------------------------------
    Ulrich Haverkamp
    ------------------------------

    Original Message


  • 10.  RE: problems with OIDC authorization scopes

    Posted Mon May 19, 2025 10:39 AM

    That's great!  I'm glad that I could help.



    ------------------------------
    Barbara Jensen
    ------------------------------

    Original Message


Related Content