Hello IBM Folks,

is it possible to define a different context root for the OpenID relying party application WebSphereOIDCRP? I tried to change the context root of the application with the WebSphere admin console to "/customerRoot/oidcclient" but this doesn't affect the redirect_uri passed to the authorize endpoint. The redirect_uri contains only "/oidcclient". So the RP is not found, when the Browser is redirected to this URI. I restarted WebSphere after I changed the context root!

The issue behind this question is, that we have a Web ApplicationFirewall (WAF) at customer site, which is configured to block any URI except URIs with the context root "/customerRoot/*".

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hi Thomas,

If you've set a context root on your OIDC EAR that is not the default value of /oidcclient, you set the new context root on the callbackServletContext (not qualified) OIDC TAI custom property.

------------------------------
Barbara Jensen
------------------------------

Original Message:
Sent: Wed August 31, 2022 09:51 AM
From: Thomas Mayr
Subject: Different Context Root for OpenID Relying Party Application WebSphereOIDCRP

Hello IBM Folks,

is it possible to define a different context root for the OpenID relying party application WebSphereOIDCRP? I tried to change the context root of the application with the WebSphere admin console to "/customerRoot/oidcclient" but this doesn't affect the redirect_uri passed to the authorize endpoint. The redirect_uri contains only "/oidcclient". So the RP is not found, when the Browser is redirected to this URI. I restarted WebSphere after I changed the context root!

The issue behind this question is, that we have a Web ApplicationFirewall (WAF) at customer site, which is configured to block any URI except URIs with the context root "/customerRoot/*".

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hi Barbara,

thank you, that's it! I've overseen this parameter.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Wed August 31, 2022 10:10 AM
From: Barbara Jensen
Subject: Different Context Root for OpenID Relying Party Application WebSphereOIDCRP

Hi Thomas,

If you've set a context root on your OIDC EAR that is not the default value of /oidcclient, you set the new context root on the callbackServletContext (not qualified) OIDC TAI custom property.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed August 31, 2022 09:51 AM
From: Thomas Mayr
Subject: Different Context Root for OpenID Relying Party Application WebSphereOIDCRP

Hello IBM Folks,

is it possible to define a different context root for the OpenID relying party application WebSphereOIDCRP? I tried to change the context root of the application with the WebSphere admin console to "/customerRoot/oidcclient" but this doesn't affect the redirect_uri passed to the authorize endpoint. The redirect_uri contains only "/oidcclient". So the RP is not found, when the Browser is redirected to this URI. I restarted WebSphere after I changed the context root!

The issue behind this question is, that we have a Web ApplicationFirewall (WAF) at customer site, which is configured to block any URI except URIs with the context root "/customerRoot/*".

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hi Barbara,

do you have an idea for this issue, too: https://community.ibm.com/community/user/wasdevops/discussion/openid-relying-party-interceptor-with-interceptedpathfilter-containing-uri-schema-und-authority

This is still a problem for us we hav to solve.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Wed August 31, 2022 10:10 AM
From: Barbara Jensen
Subject: Different Context Root for OpenID Relying Party Application WebSphereOIDCRP

Hi Thomas,

If you've set a context root on your OIDC EAR that is not the default value of /oidcclient, you set the new context root on the callbackServletContext (not qualified) OIDC TAI custom property.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed August 31, 2022 09:51 AM
From: Thomas Mayr
Subject: Different Context Root for OpenID Relying Party Application WebSphereOIDCRP

Hello IBM Folks,

is it possible to define a different context root for the OpenID relying party application WebSphereOIDCRP? I tried to change the context root of the application with the WebSphere admin console to "/customerRoot/oidcclient" but this doesn't affect the redirect_uri passed to the authorize endpoint. The redirect_uri contains only "/oidcclient". So the RP is not found, when the Browser is redirected to this URI. I restarted WebSphere after I changed the context root!

The issue behind this question is, that we have a Web ApplicationFirewall (WAF) at customer site, which is configured to block any URI except URIs with the context root "/customerRoot/*".

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------