Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17774

Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint

    XMLWordPrintable

Details

    • Rank:
      1|i04g66:

    Description

      Bug description

      In the context of validating the conformance of the AM platfom for the CIBA authentication flow, we have identified and issue when the exp claim is missing from the signed request parameter.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Configure an Oauth 2.0 provider and client for the Back Channel Request grant type
      2. Create a request object containing all the mandatory CIBA claims excepting exp
      3. Sign the request object
      4. Call the backchannel authentication endpoint
      Expected behaviour
      400 Bad request
      
      Current behaviour
      500 {"error":"server_error"}
      

       

      Code analysis

      A NullPointerException is observed in the logs

      java.lang.NullPointerException: null
      
      [CONTINUED] at org.forgerock.openam.jwt.JwtClaimsValidationHandler.isExpired(JwtClaimsValidationHandler.java:109)
      
      [CONTINUED] at org.forgerock.openam.jwt.JwtClaimsValidationHandler.validateExpirationTime(JwtClaimsValidationHandler.java:100)
      
      [CONTINUED] at org.forgerock.openam.jwt.JwtClaimsValidationHandler.validateClaims(JwtClaimsValidationHandler.java:73)
      
      [CONTINUED] at org.forgerock.openam.oauth2.OpenAMClientRegistration.verifyBackChannelAuthRequestJwt(OpenAMClientRegistration.java:858)
      
      [CONTINUED] at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:144)
      

      Attachments

        Activity

          People

            apforrest Andrew Forrest
            marian.tiris Marian Tiris
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: