Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quarkus-oidc NullPointerException #10717

Closed
MarcusSchilling opened this issue Jul 14, 2020 · 9 comments · Fixed by #10811
Closed

quarkus-oidc NullPointerException #10717

MarcusSchilling opened this issue Jul 14, 2020 · 9 comments · Fixed by #10811
Labels
area/oidc kind/bug Something isn't working
Milestone
1.7.0.CR1

Comments

@MarcusSchilling
Copy link

Describe the bug
When you send an incorrect Token for example an refresh token then a NullPointerException appears.

Expected behavior
There should be an 403 Forbidden Response.

Actual behavior
500 Internal Server Error with a NullPointerException

To Reproduce
Steps to reproduce the behavior:

  1. Initialize a project with the quarkus-oicd extension
  2. make an protected endpoint
  3. send a request with a refresh token

Configuration

# Add your application.properties here, if applicable.

Screenshots
(If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

  • Output of uname -a Darwin MacBook-Pro-5.local 19.5.0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64 x86_64
  • Output of java -version: openjdk version "11.0.7" 2020-04-14
    OpenJDK Runtime Environment GraalVM CE 20.1.0 (build 11.0.7+10-jvmci-20.1-b02)
    OpenJDK 64-Bit Server VM GraalVM CE 20.1.0 (build 11.0.7+10-jvmci-20.1-b02, mixed mode, sharing)
  • GraalVM version (if different from Java):
  • Quarkus version: 1.5.2.Final
  • Build tool (ie. output of mvnw --version or gradlew --version): apache-maven-3.6.3

Additional context
(Add any other context about the problem here.)

2020-07-14 15:13:53,241 ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] (vert.x-eventloop-thread-7) HTTP Request to /api/users/me failed, error id: c2bda5a4-6fb5-4755-8746-d47c8905d9ee-6: java.lang.NullPointerException
at io.quarkus.oidc.runtime.OidcUtils.validateAndCreateIdentity(OidcUtils.java:138)
at io.quarkus.oidc.runtime.OidcIdentityProvider$2$1.handle(OidcIdentityProvider.java:88)
at io.quarkus.oidc.runtime.OidcIdentityProvider$2$1.handle(OidcIdentityProvider.java:78)
at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.lambda$decodeToken$3(OAuth2AuthProviderImpl.java:271)
at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.lambda$authenticate$1(OAuth2AuthProviderImpl.java:230)
at io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl.lambda$introspect$3(OAuth2TokenImpl.java:488)
at io.vertx.ext.auth.oauth2.impl.OAuth2API.lambda$null$1(OAuth2API.java:129)
at io.vertx.core.http.impl.HttpClientResponseImpl$BodyHandler.notifyHandler(HttpClientResponseImpl.java:292)
at io.vertx.core.http.impl.HttpClientResponseImpl.lambda$bodyHandler$0(HttpClientResponseImpl.java:193)
at io.vertx.core.http.impl.HttpClientResponseImpl.handleEnd(HttpClientResponseImpl.java:248)
at io.vertx.core.http.impl.Http1xClientConnection$StreamImpl.lambda$beginResponse$0(Http1xClientConnection.java:480)
at io.vertx.core.streams.impl.InboundBuffer.handleEvent(InboundBuffer.java:237)
at io.vertx.core.streams.impl.InboundBuffer.write(InboundBuffer.java:127)
at io.vertx.core.http.impl.Http1xClientConnection$StreamImpl.endResponse(Http1xClientConnection.java:499)
at io.vertx.core.http.impl.Http1xClientConnection$StreamImpl.access$000(Http1xClientConnection.java:237)
at io.vertx.core.http.impl.Http1xClientConnection.handleResponseEnd(Http1xClientConnection.java:632)
at io.vertx.core.http.impl.Http1xClientConnection.handleHttpMessage(Http1xClientConnection.java:592)
at io.vertx.core.http.impl.Http1xClientConnection.handleMessage(Http1xClientConnection.java:566)
at io.vertx.core.impl.ContextImpl.executeTask(ContextImpl.java:369)
at io.vertx.core.impl.EventLoopContext.execute(EventLoopContext.java:43)
at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:232)
at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:173)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)
@MarcusSchilling MarcusSchilling added the kind/bug Something isn't working label Jul 14, 2020
@sberyozkin
Copy link
Member

@MarcusSchilling Hi, I think this has been fixed on the master branch, can you please try a SNAPSHOT build ?

@sberyozkin
Copy link
Member

It will be 401 since at this point we are not enforcing RBAC yet

@sberyozkin sberyozkin added this to the 1.7.0 - master milestone Jul 14, 2020
@sberyozkin
Copy link
Member

@MarcusSchilling So this is a service application, and Keycloak ?

@sberyozkin
Copy link
Member

@pedroigor Hey Pedro, we may have an 'exciting' issue here :-). If SPA sends a valid refresh token to Quarkus service application, then if OIDC server verifies it via the introspection response, there is nothing we can do to detect it is not an access token, right ? This is probably all right, since RT is like a big access token since it can renew the ATs...
If RT is JWT then we can add a property which will enforce that the verified JWT is of the given type (example, Bearer for service apps, ID for code flows) - we'd need a property because Keycloak would set Bearer for ex, but not sure about other IDPs

@pedroigor
Copy link
Contributor

Yeah, RTs are supposed to be opaque. In Keycloak we do set the type to explicitly set the JWT as a refresh token. But we can guarantee others to the same if they are also doing JWTs for RTs.

I think the best we can do is just handle this case properly and avoid a NPE, as you mentioned?

@sberyozkin
Copy link
Member

@pedroigor What that NPE implies (it has been fixed on the master) is that Vertx has successfully verified the token but it has not been decoded into JSON. So yeah if it is an opaque token in the service application then I'm not sure what we can do, I'll look into it

@MarcusSchilling
Copy link
Author

MarcusSchilling commented Jul 16, 2020
edited
Loading

SNAPSHOT

How am I able to try a snapshot build do i have to change the pom accordingly?

So this is a service application, and Keycloak ?

Correct

@MarcusSchilling
Copy link
Author

It will be 401 since at this point we are not enforcing RBAC yet

Oh yes you are right 401 Unauthorized makes much more sense

@sberyozkin
Copy link
Member

@MarcusSchilling thanks, so yes, the actual NPE has been fixed, but the fix is also on the way to make sure 401 is returned

@sberyozkin sberyozkin mentioned this issue Jul 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
1.7.0.CR1
Development

Successfully merging a pull request may close this issue.

Check OIDC token type and return 401 for invalid bearer tokens sberyozkin/quarkus
3 participants
@sberyozkin @pedroigor @MarcusSchilling