Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13414

Upgrade to AM6 fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4
    • Fix Version/s: 6.0.0.5, 6.5.0, 6.0.1
    • Component/s: oauth2, upgrade
    • Labels:
    • Support Ticket IDs:

      Description

      Bug description

      One a AM13.5.1 with a OAuth2Provider service  that is created with ssoadm and that lack tokenSigningHmacSharedSecret, it is not possible to upgrade and amUpgrade logs will have

      amUpgrade:08/07/2018 08:45:50:971 AM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[1f2a7071-92a2-4e8a-aa8c-5337983eb63c-125]
      ERROR: An error occurred while trying to upgrade an OAuth2 Provider
      java.lang.NullPointerException
              at org.forgerock.openam.upgrade.steps.UpgradeOAuth2ProviderStep.encodeSecrets(UpgradeOAuth2ProviderStep.java:242)
              at org.forgerock.openam.upgrade.steps.UpgradeOAuth2ProviderStep.perform(UpgradeOAuth2ProviderStep.java:221)
              at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:153)
              at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:68)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.apache.click.util.ClickUtils.invokeMethod(ClickUtils.java:3317)
              at org.apache.click.util.ClickUtils.invokeListener(ClickUtils.java:2088)
              at org.apache.click.control.AbstractControl$1.onAction(AbstractControl.java:228)
      ....
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      amUpgrade:08/07/2018 08:45:50:972 AM SGT: Thread[http-nio-8080-exec-6,5,main]: TransactionId[1f2a7071-92a2-4e8a-aa8c-5337983eb63c-125]
      ERROR: Error occured while upgrading OpenAM
      org.forgerock.openam.upgrade.UpgradeException: Unable to upgrade OAuth2 Providers.
              at org.forgerock.openam.upgrade.steps.UpgradeOAuth2ProviderStep.encodeSecrets(UpgradeOAuth2ProviderStep.java:255)
              at org.forgerock.openam.upgrade.steps.UpgradeOAuth2ProviderStep.perform(UpgradeOAuth2ProviderStep.java:221)
              at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:153)
              at com.sun.identity.config.upgrade.Upgrade.doUpgrade(Upgrade.java:68)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
      ...
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      Caused by: java.lang.NullPointerException
              at org.forgerock.openam.upgrade.steps.UpgradeOAuth2ProviderStep.encodeSecrets(UpgradeOAuth2ProviderStep.java:242)
              ... 53 more
      

      and upgrade fails with

      upgrade.oauth2.provider.encode.secrets.start; Failed!

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Install 13.5.1
      2. Create a test realm
      3. Create OAuth2Provider thru ssoadm (or you can delete  sunKeyValue for tokenSigningHmacSharedSecret on ou=default,ou=OrganizationConfig,ou=1.0,ou=OAuth2Provider,ou=services,o=test,ou=services,dc=openam,dc=forgerock,dc=org
      4. Perform the AM 6 upgrade
      Expected behaviour
      Upgrade works
      
      Current behaviour
      Upgrade stops at 
      
      Removing files sub-schema from IdRepo; Done.
      Adding agents permissions to read user profile attributes; Done.
      Creating new delegation permissions; Done.
      Updating existing delegation privileges; Done.
      Enabling user self-editing of USS KBA information; Done.
      Ensuring iPlanetAMPlatformService service is ready for REST SMS; Done.
      Ensuring ScriptingService service is ready for REST SMS; Done.
      Ensuring sunIdentityRepositoryService service is ready for REST SMS; Done.
      Upgrading i18nKeys in AgentService; Done.
      upgrade.oauth2.provider.encode.secrets.start; Failed!

      Work around

      _Make sure all realms have the token SIgning Secret. (You can use the Dashboard OAuth2 to recreate the service or explicitly add a known secret to "_Token Signing HMAC Shared Secret"

       

      Code analysis

      The cause is partly due to the introduction of OPENAM-12080 to upgrade the Hmac secret (done in AM6.0)

      UpgradeOAuth2ProviderStep.java
      Simply avoid doing the encoding when it is null
      
      241                final Set<String> secrets = attributes.get(attributeKey);
      242                if (!secrets.isEmpty()) { <--- secrets == null
      
      So CollectUtils.isNotEmpty(secrets) should work.
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: