Bug description
There is HTTP Error 500 when there is wrong POST body in CIBA authorization request.
How to reproduce the issue
- configure openid connect service
- add oauth2 client with name and password, add backchannel grant type
- do authorize request with JSON file instead of JWT or no payload at all
Expected behaviour
Error leading customer to what is expected request payload
Current behaviour
$ http -v -a ${USER}:${PASS} POST ${URL}/oauth2/bc-authorize POST /openam/oauth2/bc-authorize HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Authorization: Basic bXlDbGllbnRJRDpwYXNzd29yZA== Connection: keep-alive Content-Length: 0 Host: amqa-clone70.test.forgerock.com:8080 User-Agent: HTTPie/0.9.8 HTTP/1.1 500 Connection: close Content-Length: 24 Content-Type: application/json;charset=UTF-8 Date: Wed, 05 Jun 2019 09:46:41 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN { "error": "server_error" } $ cat openam/openam/debug/OAuth2Provider o.f.o.r.ExceptionHandler: 2019-06-05 10:46:41,688: Thread[http-nio-8080-exec-10]: TransactionId[7eb23208-34c3-4c55-9f2a-a332659acf74-61802] ERROR: Unhandled exception: java.lang.NullPointerException: null at org.forgerock.json.jose.common.JwtReconstruction.reconstructJwt(JwtReconstruction.java:61) at org.forgerock.oauth2.core.OAuth2Jwt.create(OAuth2Jwt.java:70) at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:136) at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81) at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:77) at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179) at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:88) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:85) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206) at org.forgerock.http.routing.Router.handle(Router.java:100) at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60) at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$828/1545480468.filter(Unknown Source) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88) at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$899/1215841189.filter(Unknown Source) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:265) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)