Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12215

NPE thrown when calling OIDC authorize endpoint with invalid SSOToken

    Details

    • Target Version/s:
    • Sprint:
      Sprint 2017.17 Newton, Sprint 2018.1 Newton
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When issuing a REST call like

      curl -s -D - -k --request POST --cookie 'iPlanetDirectoryPro=W_CP_Nrv-11neoaOGbA2rdYzKm0.*AAJTSQACMDEAAlNLABxFeDhPQ2ppM05aclp2SDNnMVpCNnZiY1lBb0E9AAJTMQAA*' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Cache-control: no-cache' --data 'response_type=token%20id_token&client_id=myOIDCClient&redirect_uri=http://localhost/testscope=openid%20profile&save_consent=0&decision=allow&nonce=nonce&response_mode=&csrf=W_CP_Nrv-11neoaOGbA2rdYzKm0.*AAJTSQACMDEAAlNLABxFeDhPQ2ppM05aclp2SDNnMVpCNnZiY1lBb0E9AAJTMQAA*' 'http://openam.example.com:8080/openam/oauth2/authorize?realm=/
      

      The following will throw a Server error 500 and the logs shows

      Caused by: java.lang.NullPointerException
              at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:52)
              at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:343)
              at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:180)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
              ... 81 more
      

       

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Setup an OpenID agent like the ones in https://backstage.forgerock.com/docs/am/5.5/oidc1-guide/#chap-oidc1-usage
      2. Send a REST call like above (with an expired or invalid SSOToken)
      3. Check if the HTTP response is 500 and if there is a NPE (enable message debug)
      Expected behaviour
      At least an error like 400  (Bad request) is expected and surely not 500.
      
      Current behaviour
      Server error  500
      

      Work around

      Just make sure to authorize with a valid SSOToken

      org.forgerock.oauth2.core.CsrfProtection.java
      51        SSOToken ssoToken = resourceOwnerSessionValidator.getResourceOwnerSession(request);
      52        String ssoTokenId = ssoToken.getTokenID().toString();
      53        String csrfValue = request.getParameter("csrf");
      

      ssoToken can be NULL from the return. So this need to be guarded against.

        Attachments

          Activity

            People

            • Assignee:
              dipu.seminlal Dipu Seminlal
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: