[OPENAM-15040] CIBA authorization request returns HTTP 500 NPE when file is wrong Created: 05/Jun/19  Updated: 04/Feb/20  Resolved: 28/Oct/19

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 6.5.2, 7.0.0
Fix Version/s: 6.5.2.3, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Ľubomír Mlích Assignee: Kevin Umebolu
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, NEWTON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Rank: 1|hzk4af:
Sprint: AM 2019.15 - Gears
Verified Version/s:

 Description   

Bug description

There is HTTP Error 500 when there is wrong POST body in CIBA authorization request.

How to reproduce the issue

  1. configure openid connect service
  2. add oauth2 client with name and password, add backchannel grant type
  3. do authorize request with JSON file instead of JWT or no payload at all
Expected behaviour
Error leading customer to what is expected request payload
Current behaviour
$ http -v -a ${USER}:${PASS} POST ${URL}/oauth2/bc-authorize
POST /openam/oauth2/bc-authorize HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic bXlDbGllbnRJRDpwYXNzd29yZA==
Connection: keep-alive
Content-Length: 0
Host: amqa-clone70.test.forgerock.com:8080
User-Agent: HTTPie/0.9.8

HTTP/1.1 500 
Connection: close
Content-Length: 24
Content-Type: application/json;charset=UTF-8
Date: Wed, 05 Jun 2019 09:46:41 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

{
    "error": "server_error"
}

$ cat openam/openam/debug/OAuth2Provider 
o.f.o.r.ExceptionHandler: 2019-06-05 10:46:41,688: Thread[http-nio-8080-exec-10]: TransactionId[7eb23208-34c3-4c55-9f2a-a332659acf74-61802]
ERROR: Unhandled exception: 
java.lang.NullPointerException: null
	at org.forgerock.json.jose.common.JwtReconstruction.reconstructJwt(JwtReconstruction.java:61)
	at org.forgerock.oauth2.core.OAuth2Jwt.create(OAuth2Jwt.java:70)
	at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:136)
	at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
	at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:77)
	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
	at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:88)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.routing.Router.handle(Router.java:100)
	at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:85)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.routing.Router.handle(Router.java:100)
	at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
	at org.forgerock.http.routing.Router.handle(Router.java:100)
	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:88)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:53)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:60)
	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$828/1545480468.filter(Unknown Source)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:88)
	at org.forgerock.openam.http.OpenAMHttpApplication$$Lambda$899/1215841189.filter(Unknown Source)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:265)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

 

 Comments   
Comment by Ľubomír Mlích [ 04/Feb/20 ]

Reproduced in ForgeRock Access Management 6.5.2.2 Build 512c5a2f00 (2019-October-30 10:12)
Verified in ForgeRock Access Management 6.5.2.3-M1 Build 26261986e5 (2020-February-03 13:51), I see HTTP error 400 instead of 500, no NPE in debug

Generated at Fri Mar 05 07:48:42 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.