Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15040

CIBA authorization request returns HTTP 500 NPE when file is wrong

    XMLWordPrintable

    Details

    • Sprint:
      AM 2019.15 - Gears

      Description

      Bug description

      There is HTTP Error 500 when there is wrong POST body in CIBA authorization request.

      How to reproduce the issue

      1. configure openid connect service
      2. add oauth2 client with name and password, add backchannel grant type
      3. do authorize request with JSON file instead of JWT or no payload at all
      Expected behaviour
      Error leading customer to what is expected request payload
      Current behaviour
      $ http -v -a ${USER}:${PASS} POST ${URL}/oauth2/bc-authorize
POST /openam/oauth2/bc-authorize HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic bXlDbGllbnRJRDpwYXNzd29yZA==
Connection: keep-alive
Content-Length: 0
Host: amqa-clone70.test.forgerock.com:8080
User-Agent: HTTPie/0.9.8

HTTP/1.1 500 
Connection: close
Content-Length: 24
Content-Type: application/json;charset=UTF-8
Date: Wed, 05 Jun 2019 09:46:41 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

{
    "error": "server_error"
}

$ cat openam/openam/debug/OAuth2Provider 
o.f.o.r.ExceptionHandler: 2019-06-05 10:46:41,688: Thread[http-nio-8080-exec-10]: TransactionId[7eb23208-34c3-4c55-9f2a-a332659acf74-61802]
ERROR: Unhandled exception: 
java.lang.NullPointerException: null
	at org.forgerock.json.jose.common.JwtReconstruction.reconstructJwt(JwtReconstruction.java:61)
	at org.forgerock.oauth2.core.OAuth2Jwt.create(OAuth2Jwt.java:70)
	at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:136)
	at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
	at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:77)
	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
	at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:88)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.routing.Router.handle(Router.java:100)
	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:85)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.routing.Router.handle(Router.java:100)
	at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
	at org.forgerock.http.routing.Router.handle(Router.java:100)
	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60)
	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$828/1545480468.filter(Unknown Source)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88)
	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$899/1215841189.filter(Unknown Source)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:265)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

       

        Attachments

          Activity

            People

            Assignee:
            kevin.umebolu Kevin Umebolu
            Reporter:
            lubomir.mlich Ľubomír Mlích
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: