Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Not under consideration
Workspace WebSphere Liberty
Created by Guest
Created on Nov 5, 2025

RELATED IDEAS

Open Liberty : Reporting on jwt ALG usage

This ties to the Issue Reporting on jwt ALG usage #33270 raised on gitHub for Open Liberty.

Please feel free to re-allocate to another Workspace if required.


Describe the use case that you want to enable:

The request to to report on ALG settings where OIDC defns are deployed for authn security.
In the case of Open Liberty this means reporting in the message.logs or perhaps even an additional/new log.
(Our full reqt us based on IBM z/OS Connect EE where we would also like messages ti appear in the JESMSGLG but we recognise that this is probably outwith the scope of this Feature Request.)

Describe the use case that you want to enable:

For unique type (i.e. algoritm 'alg=' ) of jwt received identified then report on its usage in the message.log. Note - just the first occurrence.

So if there are 4000 requests and request 1 employs RS256 and request 209 uses HS256 and the 4000th ES256, then three msgs will be reported in the message.log.

Describe why this is important to you:

The intent here is to trap instances (and hence alert) where HS256 is employed, as opposed to RS256 / ES256. Even though HS256 provides encryption its symmetric in nature and hence intrinsically less secure than RS256 / ES256 which are asymmetric.








Idea priority High
  • Admin
    Jahnvi Bedia
    Nov 14, 2025

    Thank you again for opening the issue. At this time, we do not plan on pursuing an enhancement to address this.

    OpenID Connect clients in Liberty currently limit which signature algorithm they accept for tokens they receive to the one specified in the client’s `signatureAlgorithm` setting. To disallow tokens signed with HS256, the respective OpenID Connect clients can either be disabled or updated to require a different algorithm by using the `signatureAlgorithm` configuration attribute.

    OpenID Connect clients in Liberty are also typically configured to intercept only requests that satisfy certain conditions, with those conditions typically configured via an authentication filter (for example, requests that match a particular URL pattern or contain a certain header). Assuming there is a web server handling requests in front of the Liberty server, the web server should be able to log inbound requests that would be processed by an OpenID Connect client that allows HS256 by catching requests that match those same conditions in the client’s authentication filter.

    Looking forward to receiving more ideas from you on the IBM Ideas Portal.

    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.