Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15049

wrong JWT while obtaining CIBA auth request id will result in HTTP 500 NPE

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2, 7.0.0
    • Fix Version/s: 7.0.0, 6.5.3
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM 2019.15 - Gears
    • Functional tests:
      Yes

      Description

      Bug description

      When I remove last character from JWT used for CIBA Auth Request Id, server will return http 500 error and there is NPE in debug

      ERROR: Unhandled exception: 
      java.lang.NullPointerException: null
      	at org.forgerock.json.jose.jws.SupportedEllipticCurve.forSignature(SupportedEllipticCurve.java:181)
      	at org.forgerock.json.jose.utils.DerUtils.encodeEcdsaSignature(DerUtils.java:168)
      	at org.forgerock.json.jose.jws.handlers.SecretECDSASigningHandler.verify(SecretECDSASigningHandler.java:79)
      	at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:194)
      	at org.forgerock.openam.jwt.JwtSignatureVerificationHandler$$Lambda$863/1272821841.test(Unknown Source)
      	at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
      	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
      	at java.util.stream.StreamSpliterators$WrappingSpliterator.tryAdvance(StreamSpliterators.java:302)
      	at java.util.stream.Streams$ConcatSpliterator.tryAdvance(Streams.java:727)
      	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
      	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:529)
      	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:516)
      	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:502)
      	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
      	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
      	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
      	at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:449)
      	at org.forgerock.openam.jwt.JwtSignatureVerificationHandler.verifyJwsSignature(JwtSignatureVerificationHandler.java:107)
      	at org.forgerock.openam.jwt.JwtSignatureVerificationHandler.verifyJwsSignature(JwtSignatureVerificationHandler.java:71)
      	at org.forgerock.openam.oauth2.OpenAMClientRegistration.verifyBackChannelAuthRequestJwt(OpenAMClientRegistration.java:815)
      	at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:137)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:483)
      	at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
      	at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:77)
      	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
      	at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:88)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.routing.Router.handle(Router.java:100)
      	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:85)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.routing.Router.handle(Router.java:100)
      	at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
      	at org.forgerock.http.routing.Router.handle(Router.java:100)
      	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60)
      	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$621/1127517004.filter(Unknown Source)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88)
      	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$738/30937237.filter(Unknown Source)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:265)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      How to reproduce the issue

      A. Configuration

      1. generate signing keys at https://mkjwk.org - Elliptic Curve tab, Curve = P-256, Key Use=Signing, Algorithm=ES256, Key ID=myKID - save output
      2. add oauth2client - ClientID=myCID, password=password, scopes="openid profile", add "grant type"="Back Channel Request" in Advanced tab, add "Keypair set" from  step 1. to "Json Web Key" in "Signing and Encryption" tab and also change "Public key selector" to JWKs

      B. Generate JWT at http://jwt.io with ES256 algorithm

      Verify signature

      • enter public key from step 1 to upper box
      • enter keypair from step 1 to lower box

      Change payload to:

      {  
         "login_hint":"demo",
         "scope":"openid profile",
         "acr_values":"push",
         "iss":"myCID",
         "aud":"http://am.localtest.me:8080/openam/oauth2",
         "exp":1559753575,
         "binding_message":"Allow ExampleBank to transfer £50 from your 'Main' account to your 'Savings' account? Reference: 0246326"
      }
      

      and modify

      • exp (expiration time) to current time plus 10 minutes - in bash: expr `date +%s` + 600
      • aud to your am URL

      C. Do request for Auth request ID

      copy JWT to file /tmp/JWT.txt and run:

      http -v -f -a ${OAUTH2_CLIENT_ID}:${OAUTH2_CLIENT_PASS} POST ${AM_URL}/oauth2/bc-authorize request=`cat ${JWT_FILE}`
      

      this should return "acr_values invalid or missing" as this was not configured

      D. remove last character from file and run command again

      Expected behaviour
      HTTP 400 JWT signature verification failed
      
      Current behaviour
      HTTP 500 Null pointer exception

        Attachments

          Activity

            People

            • Assignee:
              michael.carter Michael Carter
              Reporter:
              lubomir.mlich Ľubomír Mlích
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: