Fix (APAR): PI64573 Status: Fix Release: 8.0.0.12,8.0.0.11,8.0.0.10 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PI25298 PI33449 PI37687 PI47460 PI52604 PI55697 PI56331 PI63906 PI59831 CMVC Defect: xxxxxx Byte size of APAR: 3056864 Date: 2016-06-23 Abstract: oidc: a 403 error may occur if op url encodes the state parameter Description/symptom of problem: PI64573 resolves the following problem: ERROR DESCRIPTION: A 403 error may occur when the OpenID Connect Relying Party is a partner with an OpenID Connect provider that URL encodes the state parameter. LOCAL FIX: PROBLEM SUMMARY USERS AFFECTED: All IBM WebSphere Application Server users of OpenID Connect Relying Party PROBLEM DESCRIPTION: A 403 Error may occur when using the OIDC RP RECOMMENDATION: Install a fix pack or interim fix that contains this APAR. A 403 error may occur when the OpenID Connect Relying Party is a partner with an OpenID Connect provider that URL encodes the state parameter. PROBLEM CONCLUSION: The OpenID Connect specification states that the state parameter must be returned to the client without modification. Because of the way that the WebSphere OpenID Connect Relying Party (RP) is constructing the state parameter, if the OpenID Connect provider (OP) sanitizes the state parameter by URL encoding it, the state parameter will appear to be modified and a 403 error will result. The OpenID Connect RP is modified to ensure that the state parameter is created in a way that URL encoding it will not change its contents. The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.13, 8.5.5.11 and 9.0.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 8.0 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: