Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11492

OpenID Jwk_uri URL returns Internal Server Error

    Details

    • Type: Bug
    • Status: In Progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0, 14.1.0
    • Fix Version/s: None
    • Component/s: OpenID Connect
    • Labels:
    • Support Ticket IDs:

      Description

      Bug description

      When updating from earlier to AM5 and if there is test cert is removed the following error happens only when MESSAGE/WARNING debug is enable. It never shows if "ERROR" / default logging is set.

      The REST calls gives

      http://openam.example.com/openam/oauth2/realms/root/realms/test/connect/jwk_uri
      {"error":"server_error","error_description":"Internal Server Error"} 
      

      The debug logs will not show unless WARNING/DEBUG level

      OAuth2Provider:08/04/2017 09:39:49:121 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034]
      WARNING: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
      Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539)
              at org.restlet.resource.ServerResource.get(ServerResource.java:742)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617)
      ...
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
      .java:615)
              at java.lang.Thread.run(Thread.java:744)
      Caused by: java.lang.NullPointerException
              at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getJWKSet(AgentOAuth2ProviderSettings.java:323)
              at org.forgerock.openidconnect.restlet.OpenIDConnectJWKEndpoint.getJWKSet(OpenIDConnectJWKEndpoint.java:72)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:523)
              ... 97 more
      

      How to reproduce the issue

      1. Say delete the test certificate from keystore.jceks
      2. Access http://openam.example.com/openam/oauth2/connect/jwk_uri

      Expected behaviour
      A json structure of all the JWKset
      

      Having the code throw NPE is fine and even forcing the jwk_uri having server error is fine (to highlight the issue). However not HAVING this flagged in the debug logs even AT ERROR level is kind of bad. Maybe having the code printout the problematic cert it looking for will help if this error is ignored.

      Current behaviour
      {"error":"server_error","error_description":"Internal Server Error"} 
      

      Work around

      Goto the Global configuration > OAuth2 Provider and make sure ID Token Signing Key Alias for Agent Clients The alias for the RSA key that should be used signing ID tokens for Agent OAuth2 Clients exists.

      Code analysis

      Can see above there is a NPE.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: