[OPENAM-12215] NPE thrown when calling OIDC authorize endpoint with invalid SSOToken Created: 13/Dec/17  Updated: 23/Nov/20  Resolved: 24/Jan/18

Status: Resolved
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 5.5.1
Fix Version/s: 6.0.0, 5.5.2

Type: Bug Priority: Minor
Reporter: C-Weng C Assignee: Dipu Seminlal
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, NEWTON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-17101 Different behavior when invalid/missi... Open
Target Version/s:
Rank: 1|hzuly7:
Sprint: Sprint 2017.17 Newton, Sprint 2018.1 Newton
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

When issuing a REST call like

curl -s -D - -k --request POST --cookie 'iPlanetDirectoryPro=W_CP_Nrv-11neoaOGbA2rdYzKm0.*AAJTSQACMDEAAlNLABxFeDhPQ2ppM05aclp2SDNnMVpCNnZiY1lBb0E9AAJTMQAA*' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Cache-control: no-cache' --data 'response_type=token%20id_token&client_id=myOIDCClient&redirect_uri=http://localhost/testscope=openid%20profile&save_consent=0&decision=allow&nonce=nonce&response_mode=&csrf=W_CP_Nrv-11neoaOGbA2rdYzKm0.*AAJTSQACMDEAAlNLABxFeDhPQ2ppM05aclp2SDNnMVpCNnZiY1lBb0E9AAJTMQAA*' 'http://openam.example.com:8080/openam/oauth2/authorize?realm=/

The following will throw a Server error 500 and the logs shows

Caused by: java.lang.NullPointerException
        at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:52)
        at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:343)
        at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:180)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
        ... 81 more

 

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Setup an OpenID agent like the ones in https://backstage.forgerock.com/docs/am/5.5/oidc1-guide/#chap-oidc1-usage
  2. Send a REST call like above (with an expired or invalid SSOToken)
  3. Check if the HTTP response is 500 and if there is a NPE (enable message debug)
Expected behaviour
At least an error like 400  (Bad request) is expected and surely not 500.
Current behaviour
Server error  500

Work around

Just make sure to authorize with a valid SSOToken

org.forgerock.oauth2.core.CsrfProtection.java
51        SSOToken ssoToken = resourceOwnerSessionValidator.getResourceOwnerSession(request);
52        String ssoTokenId = ssoToken.getTokenID().toString();
53        String csrfValue = request.getParameter("csrf");

ssoToken can be NULL from the return. So this need to be guarded against.



 Comments   
Comment by Ľubomír Mlích [ 02/Sep/19 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41), I can see HTTP error 500

Verified as fixed in ForgeRock Access Management 5.5.2-M7 Build 965200a558 (2019-August-20 08:11), I can see HTTP 302, redirect to redirect_uri with parameters:

?error_description=Failed%20to%20get%20resource%20owner%20session%20from%20request&error=invalid_request
Comment by Charan Mann [ 20/Nov/20 ]

I am seeing same behavior in 6.5.3 but not in 7.0. Although I couldn’t find NPE but same error is returned in 6.5.x when SSO session is invalid/missing from /authorize
 
AM 6.5.3 returns error:
http://am653.example.com:8080/am?error_description=Failed%20to%20get%20resource%20owner%20session%20from%20request&error=invalid_request
 
AM 7.0 redirects user to login UI (expected):
http://am7.example.com:8086/am/UI/Login?realm=/customers&goto=http://am7.example.com:8086/am/oauth2/realms/root/realms/customers/authorize
 

Comment by Adam Heath [ 23/Nov/20 ]

I've updated the fix version here back to 6.0.0 as this should in fact be correct - you can see this fix present in the 6.0.0 tag of the openam repo here:  https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-oauth2/src/main/java/org/forgerock/oauth2/core/CsrfProtection.java?until=1a3d0cffb23c6318dc79f24a67d3984e58635585&untilPath=openam-oauth2%2Fsrc%2Fmain%2Fjava%2Forg%2Fforgerock%2Foauth2%2Fcore%2FCsrfProtection.java&at=refs%2Ftags%2F6.0.0

The fix here was to prevent the NPE from occurring alongside a 500 response, and it sounds like from what Charan Mann is mentioning here that is no longer the case as you mention no NPE is thrown but instead a 400 response with "Invalid Request" which is the expected behaviour of the fix.

If you feel this behaviour is not correct then I think the best action would be to raise a new JIRA with reproduction steps and expected response so that this can be addressed fully across the appropriate versions.

Comment by Charan Mann [ 23/Nov/20 ]

Thanks Adam Heath, I opened OPENAM-17101 to track different behavior in 6.5 v/s 7.0 

Generated at Mon Mar 01 21:39:01 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.