Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15507

500 error when calling /revoke or /refresh endpoint with wrong token

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0.7, 6.5.2.1
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 68
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Using a rest client, make a POST call to 

      https://<am server url>/am/oauth2/realms/members/token/revoke 

      or

      https://<am server url>/am/oauth2/realms/members/token/access_token

      using a wrong or expired token will result in a 500 error

      How to reproduce the issue

      Run the following curl commands against a AM 6.0.0.7 server

       

      1. curl -v -k -X POST http://openam.example.com:8080/am/oauth2/realms/root/realms/members/access_token -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Forwarded-For: 127.0.0.1' -d 'client_id=basic&client_secret=welcome1&grant_type=refresh_token&refresh_token=eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ZXlKMGVYQWlPaUpLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2lVbE5CTVY4MUluMC5iWmtuV2pjekFuN1FVVTZmMEFrbVFnNmNSZGhxa0hQTVJKVVUyYzJjNlc4NlBJRDJrcEFUWEFKYzBVbmNkTXZHekpQLUpndFJIMVhlWGR4VzJnaVV4TGZWNzJVUXVwd0lRcHNVQ3dHSlh4WWJac2Q1djlJOEZxb2pHcG5pWk5MUDFIaTBxVUM0YnREcmhaYXhldXR3ZU92Q0gwd25fZlhqLVFGUlZEMWtiQ0FBTC01ZHMwTTFxOFZVdDl3OElFemd2VXE2aXU4U2JpZmI5Qlo3ZjktblkxbFl2ekh2MjVmWFFhZGxCd25nZ29kOGIyRENkcndiRVBXaV9SaF9iWFRNN2ZreXlLTk1fS1dPWDhUTkl3MUh5NzROaEp0ZzEzMF9sNEFMQURQSklOSE1kNmRvOVlmWmdBUGxCeWxBZkVkTWt1WWxPX2JXYS1hWldpZFNoakZjZ2cuMXVLNkdzZzdsWkFRbFdYaWhnYzFzZy5EN18xeGlIcV9rYWR2bUhJZEw0eG9zdVBReTNCcHVQWjRSUEQzcGwtbThkaDRBTWhSY0FKNHl1bGhUcklfeHpmcEhSSVl0Tm4yUXRMZTAwNjFtT0Q4RnVDbGZpalJYbnEwMWlGWFNjMnJCaFVnZF9iamt1Tk1uT09HNHNmQjNTUEwzSTNZQmNuMDVDbXRjWGZCSlVsZUdOT3MyQUd4UDhWMkd1eWpySjZINUZNS3JyWjdneW5GRVVxUmt1OGtBSEZFS3RzdXBkV1N4R0lqSlRfalV5SVFHUlZsVmtqZVAxZDlDZHNyYWJyTnVPMUdjUUl3VVpkTV9ob01ReGxVVXdycVpqS1EtSFhZbzFzazYyU0g5NzVweDAta1A1NWxXZjAxdk01ODh4NWppdllNdndtV0pZN3NMMnVpci0ycXV1MWNwandwR1luQ3RFTS0tcnZIYzNyWHYyZ1Z3X255bU9PcTFPVzVlR1dETEd3WldhT3Q3X2FCSS03WFowT3VpTGRabDduWmpnRFdEbU9VVUlIR0JSdTFzcjBwNWtZb2EteEo4c0dNRXhhLUpMR1NOVzlaR3Via2g1cXBBa0FMV29JMTIzVEJ3NjFUTmwtZ2htZm5RVVNOc1QyQ296NS1QN2NpZ0N6ZXJTZ2FxVDF1SmhjS2pRQlZrMlU0TzdDTmQxRFhQOXBubmQ4NExFalZaZWNzZThNODM3R1dQcjd6MWlHeDRWSjBlUkVGcDBJLURDcWw1REd4WTFubW94ejZ6V0YyY1UxWnZ5eTB6QnZrc0EwaUU0ZHN4RHdjNk9VWnE0MTcxaXU0Y2ZoRVd5ekVYVkVHa0ZpWEl1YnNZNmtVUE96aVhWeDN0RWxHUDVqRXNBZXNjX0VURG1Wa0E5eW9EVkxycHFMbUNCZEhqQ081ZGpMZFZGNUdLZGo3U09TbE0yVXh4Z3JpMFRqd1JCU0FkX0ZtNFR4dklualpfWnVOeERiek9nZUZ6SGUyVElyZ2NpWnhmN3BVUjZYLWNOTzU5OTlhRU5GTjF5cmlTZnZsUW1vbjM0dUNYZFh2WkJITUtUbEJPMHNrTWszcjRPdTdHem9ZX1N1SlczanpwQzJfVUV3MjJ0Y3Jld1E3a0Q1QzJUeXRqRTg4UkhJT050LVdFcUYwM2FFeW9Bbl9tdGJUNkM5c0VNQmstbml6TW1iOUc0bkZUSWwxQU96cFZxYjVGZFM5RlJXWFhoZ21lRDFSclZOVDBJS09DbE1yZUh5UFVER2J5ZTlTdC04NUVtZmdFakQ2VGx3ZmVjaUVVOUROQ3hjOUNWdFhvU3c0c1NVVWRreWQtVW1sVmxlUTYwOF9rMVdqa1c3Ym9zcW9qQkk4V0JRdVlRLWUtMVQ4SUE2XzJwRjhXbmo0SWpMWG1uZzZCcHdnM2tFSkNTaEdpWGQ5SkdNRW11QTZMN3FXZzhISmZSRmViZ2F2em5keDRkMFFnWHlBYnBqTUI2dlBBVTlYQVJ4YkNBc040bHQ4SVZYb043X1ZDTnNrT2RHVXVsb2h2aXFDUTI5MV9wWC1aVTNkcXY5eFNlRGE1eXJwdkJLcGNEMGhhYWlUREstd3JFMGVXV0dJZUhsTndnTkF1bVNtdlBPSE10a19mamRGWHVMem1RdmwxaDAxNWZMQXdpWW55OGQ2a2JvQkJBanNLa0lzWVp6cG1BWk1QZ1FTZkp4aFRwZ3lTVzgzVl9yTnJzZlI5V2xxYmpZZ0JITWxTSjM2U0t3d3dxcVZRX0JfbUxkMEd2ZW9TTUhyNW9YeU50cHRELVBfUkZzQXlCTGdnN3BtUFh4X1Y5Q1R2NVZsZ0FRRU43VzVhX2wxQ2QwZ0c5WnVlYTMxVHZhTVg2MjJoTWMzVVROVzN1TnpwdnlGSXVkMjZBU1hFcjcybmlvSF94RXNuNTdaTERyTGNGUXNaM1JsNi1BdjF6VmJwYkFDenRFbEU4YUVfLU5aRE5UZ1dPdDNwbWFvZEtjYk5od1R6c0dLN25Yak5IYXR5TVYwT0RQeHpBQmRoa3FiT2RHcVJuVWwtMWhLR3JlY3lHSDdrMGJ6ak1yNUNZSFk1bzVoWVY1dHNvY1NHTHdXMEVKRGRETGpwY2NEeUw5U19HTWVPLW1xdllCN3BPekNtQW9Pb0FraTg4MlN0amdEVjlSWUN4bFNBZUJEa0lYUlBPRkNCNU5tNWduaEVsdU9JM2E5N1NnOFUzOU5pU2t5SUFIZGZEQjlZbl9hVEdPQUwxZ081YmFjZDgwbzNDb01Ua0FqdktIcG5kR0otcXdwWks0SEstcDBJZGJMVEkzZWdlNTM4dVZtdGV0YXVnNTB3MldBbjRYZ2VHcTFmSHRYM29JN0pGN2hXRGd5a0tJdUZIRDB4VUdqdUVoZHo0NnhnMkRfNWx4c3V4T3JFYjNQWjEzSi1HU0pkVi1ucGNVRjZHYVVhaUxaT2lRZGE4alBSaDdvNGlxbnkzTWF2YW90cmN2WTFoZ09vdjRCbW1FalNqb2FqVEhlN3NwSTlDLXlrQ1hETDlkOHpLM3hiWGktNEYxQlhwb291eDNpM0ZJU0lmWnJ3MzIwNW5VdmFSNkpkM19oX3d3M1pWX0ZhZm1KMkFfLXd5MW5seXJieVVmWkQ1X3VmSi1aMWV3a0xmNXdoV24yeU93cTZXWVRvVFRSLWRLUGVvc3BUSV9lNzRLODdPbXJqd3BDZHpKejFiUVViR19fbzFLVFdDQjVNeGhNRV8xMTlsMDJaaXBDZjJ0RDJEZ3RQdk1tOGlwc1dURThmRmNNSjR2bVJPLWFTMFFmTEZZS2I0NTFJRWkuclFWVU55QXR3VVMwbWl2RHRNMXhuZw.qJCw3Fx8Ve0myy7rLwXfzFvhwcazosYhJkgvwTn7c80'

       

      2. curl -v -k -X POST http://openam.example.com:8080/am/oauth2/realms/root/realms/members/token/revoke -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Forwarded-For: 127.0.0.1' -d 'client_id=basic&client_secret=welcome1&token=eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ZXlKMGVYQWlPaUpLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2lVbE5CTVY4MUluMC5iWmtuV2pjekFuN1FVVTZmMEFrbVFnNmNSZGhxa0hQTVJKVVUyYzJjNlc4NlBJRDJrcEFUWEFKYzBVbmNkTXZHekpQLUpndFJIMVhlWGR4VzJnaVV4TGZWNzJVUXVwd0lRcHNVQ3dHSlh4WWJac2Q1djlJOEZxb2pHcG5pWk5MUDFIaTBxVUM0YnREcmhaYXhldXR3ZU92Q0gwd25fZlhqLVFGUlZEMWtiQ0FBTC01ZHMwTTFxOFZVdDl3OElFemd2VXE2aXU4U2JpZmI5Qlo3ZjktblkxbFl2ekh2MjVmWFFhZGxCd25nZ29kOGIyRENkcndiRVBXaV9SaF9iWFRNN2ZreXlLTk1fS1dPWDhUTkl3MUh5NzROaEp0ZzEzMF9sNEFMQURQSklOSE1kNmRvOVlmWmdBUGxCeWxBZkVkTWt1WWxPX2JXYS1hWldpZFNoakZjZ2cuMXVLNkdzZzdsWkFRbFdYaWhnYzFzZy5EN18xeGlIcV9rYWR2bUhJZEw0eG9zdVBReTNCcHVQWjRSUEQzcGwtbThkaDRBTWhSY0FKNHl1bGhUcklfeHpmcEhSSVl0Tm4yUXRMZTAwNjFtT0Q4RnVDbGZpalJYbnEwMWlGWFNjMnJCaFVnZF9iamt1Tk1uT09HNHNmQjNTUEwzSTNZQmNuMDVDbXRjWGZCSlVsZUdOT3MyQUd4UDhWMkd1eWpySjZINUZNS3JyWjdneW5GRVVxUmt1OGtBSEZFS3RzdXBkV1N4R0lqSlRfalV5SVFHUlZsVmtqZVAxZDlDZHNyYWJyTnVPMUdjUUl3VVpkTV9ob01ReGxVVXdycVpqS1EtSFhZbzFzazYyU0g5NzVweDAta1A1NWxXZjAxdk01ODh4NWppdllNdndtV0pZN3NMMnVpci0ycXV1MWNwandwR1luQ3RFTS0tcnZIYzNyWHYyZ1Z3X255bU9PcTFPVzVlR1dETEd3WldhT3Q3X2FCSS03WFowT3VpTGRabDduWmpnRFdEbU9VVUlIR0JSdTFzcjBwNWtZb2EteEo4c0dNRXhhLUpMR1NOVzlaR3Via2g1cXBBa0FMV29JMTIzVEJ3NjFUTmwtZ2htZm5RVVNOc1QyQ296NS1QN2NpZ0N6ZXJTZ2FxVDF1SmhjS2pRQlZrMlU0TzdDTmQxRFhQOXBubmQ4NExFalZaZWNzZThNODM3R1dQcjd6MWlHeDRWSjBlUkVGcDBJLURDcWw1REd4WTFubW94ejZ6V0YyY1UxWnZ5eTB6QnZrc0EwaUU0ZHN4RHdjNk9VWnE0MTcxaXU0Y2ZoRVd5ekVYVkVHa0ZpWEl1YnNZNmtVUE96aVhWeDN0RWxHUDVqRXNBZXNjX0VURG1Wa0E5eW9EVkxycHFMbUNCZEhqQ081ZGpMZFZGNUdLZGo3U09TbE0yVXh4Z3JpMFRqd1JCU0FkX0ZtNFR4dklualpfWnVOeERiek9nZUZ6SGUyVElyZ2NpWnhmN3BVUjZYLWNOTzU5OTlhRU5GTjF5cmlTZnZsUW1vbjM0dUNYZFh2WkJITUtUbEJPMHNrTWszcjRPdTdHem9ZX1N1SlczanpwQzJfVUV3MjJ0Y3Jld1E3a0Q1QzJUeXRqRTg4UkhJT050LVdFcUYwM2FFeW9Bbl9tdGJUNkM5c0VNQmstbml6TW1iOUc0bkZUSWwxQU96cFZxYjVGZFM5RlJXWFhoZ21lRDFSclZOVDBJS09DbE1yZUh5UFVER2J5ZTlTdC04NUVtZmdFakQ2VGx3ZmVjaUVVOUROQ3hjOUNWdFhvU3c0c1NVVWRreWQtVW1sVmxlUTYwOF9rMVdqa1c3Ym9zcW9qQkk4V0JRdVlRLWUtMVQ4SUE2XzJwRjhXbmo0SWpMWG1uZzZCcHdnM2tFSkNTaEdpWGQ5SkdNRW11QTZMN3FXZzhISmZSRmViZ2F2em5keDRkMFFnWHlBYnBqTUI2dlBBVTlYQVJ4YkNBc040bHQ4SVZYb043X1ZDTnNrT2RHVXVsb2h2aXFDUTI5MV9wWC1aVTNkcXY5eFNlRGE1eXJwdkJLcGNEMGhhYWlUREstd3JFMGVXV0dJZUhsTndnTkF1bVNtdlBPSE10a19mamRGWHVMem1RdmwxaDAxNWZMQXdpWW55OGQ2a2JvQkJBanNLa0lzWVp6cG1BWk1QZ1FTZkp4aFRwZ3lTVzgzVl9yTnJzZlI5V2xxYmpZZ0JITWxTSjM2U0t3d3dxcVZRX0JfbUxkMEd2ZW9TTUhyNW9YeU50cHRELVBfUkZzQXlCTGdnN3BtUFh4X1Y5Q1R2NVZsZ0FRRU43VzVhX2wxQ2QwZ0c5WnVlYTMxVHZhTVg2MjJoTWMzVVROVzN1TnpwdnlGSXVkMjZBU1hFcjcybmlvSF94RXNuNTdaTERyTGNGUXNaM1JsNi1BdjF6VmJwYkFDenRFbEU4YUVfLU5aRE5UZ1dPdDNwbWFvZEtjYk5od1R6c0dLN25Yak5IYXR5TVYwT0RQeHpBQmRoa3FiT2RHcVJuVWwtMWhLR3JlY3lHSDdrMGJ6ak1yNUNZSFk1bzVoWVY1dHNvY1NHTHdXMEVKRGRETGpwY2NEeUw5U19HTWVPLW1xdllCN3BPekNtQW9Pb0FraTg4MlN0amdEVjlSWUN4bFNBZUJEa0lYUlBPRkNCNU5tNWduaEVsdU9JM2E5N1NnOFUzOU5pU2t5SUFIZGZEQjlZbl9hVEdPQUwxZ081YmFjZDgwbzNDb01Ua0FqdktIcG5kR0otcXdwWks0SEstcDBJZGJMVEkzZWdlNTM4dVZtdGV0YXVnNTB3MldBbjRYZ2VHcTFmSHRYM29JN0pGN2hXRGd5a0tJdUZIRDB4VUdqdUVoZHo0NnhnMkRfNWx4c3V4T3JFYjNQWjEzSi1HU0pkVi1ucGNVRjZHYVVhaUxaT2lRZGE4alBSaDdvNGlxbnkzTWF2YW90cmN2WTFoZ09vdjRCbW1FalNqb2FqVEhlN3NwSTlDLXlrQ1hETDlkOHpLM3hiWGktNEYxQlhwb291eDNpM0ZJU0lmWnJ3MzIwNW5VdmFSNkpkM19oX3d3M1pWX0ZhZm1KMkFfLXd5MW5seXJieVVmWkQ1X3VmSi1aMWV3a0xmNXdoV24yeU93cTZXWVRvVFRSLWRLUGVvc3BUSV9lNzRLODdPbXJqd3BDZHpKejFiUVViR19fbzFLVFdDQjVNeGhNRV8xMTlsMDJaaXBDZjJ0RDJEZ3RQdk1tOGlwc1dURThmRmNNSjR2bVJPLWFTMFFmTEZZS2I0NTFJRWkuclFWVU55QXR3VVMwbWl2RHRNMXhuZw.qJCw3Fx8Ve0myy7rLwXfzFvhwcazosYhJkgvwTn7c80'

       

      The above commands will result in a 500 error

       

       

      Expected behaviour
      
      
      Current behaviour
      500 error

      Work around

      none

       

      Code analysis

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                steve.nolan Steve Nolan
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: