Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPE during CON_APP_KEY recovery flow with OAuth2 hybrid flow #20403

Open
rksk opened this issue May 17, 2024 · 0 comments
Open

NPE during CON_APP_KEY recovery flow with OAuth2 hybrid flow #20403

rksk opened this issue May 17, 2024 · 0 comments
Labels
bug

Comments

@rksk
Copy link
Contributor

rksk commented May 17, 2024

Describe the issue:
During CON_APP_KEY recovery flow, it gets tokReqMsgCtx from a thread local and pass to token issuer at [1]. But this thread local is not populated in the hybrid flow.

In the default token issuers in IS, this tokReqMsgCtx is not utilized, but in IS-KM, there is a token issuer which uses this. Ref [2].

How to reproduce:
(The steps are longer since it is hard to get CON_APP_KEY violations in a simple setup. Therefore we are setting up JWT token type and two IS nodes)

  • Configure an APIM 3.1 + IS-KM 5.10 setup sharing the DBs (two IS instances are required)
  • Create an application from apim dev portal and set the token type to JWT
  • Login to that app using code grant, accent consent always and obtain the commonAuthID cookie value from browser.
  • Invoke the following command (which runs two curls to two IS nodes) multiple times
  • Make sure to update the client id and commonauthID cookie value of both curl commands and make sure two commands are using ports of two IS nodes
  • The same can be reproduced with esponse_type=id_token as well

curl -kv 'https://localhost:9443/oauth2/authorize?nonce=a&state=aaa&response_type=token&redirect_uri=https%3A%2F%2Flocalhost&scope=openid&client_id=<client_id>' -H 'Cookie: commonAuthId=<commonAuthId>' & curl -kv 'https://localhost:9444/oauth2/authorize?nonce=a&state=aaa&response_type=token&redirect_uri=https%3A%2F%2Flocalhost&scope=openid&client_id=<client_id>' -H 'Cookie: commonAuthId=<commonAuthId>' 

ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred when processing the authorization request. Returning an error back to client. java.lang.NullPointerException
        at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest_aroundBody4(APIMTokenIssuer.java:147)
        at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest(APIMTokenIssuer.java:145)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.recoverFromConAppKeyConstraintViolation(AccessTokenDAOImpl.java:2261)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:292)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:106)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:354)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.storeAccessToken(ResponseTypeHandlerUtil.java:648)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.persistAccessTokenInDB(ResponseTypeHandlerUtil.java:632)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateNewAccessToken(ResponseTypeHandlerUtil.java:521)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:193)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:133)
        at org.wso2.carbon.identity.oauth2.authz.handlers.IDTokenResponseTypeHandler.issue(IDTokenResponseTypeHandler.java:38)
        at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.handleAuthorization(AuthorizationHandlerManager.java:105)
        at org.wso2.carbon.identity.oauth2.OAuth2Service.authorize(OAuth2Service.java:104)
        at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:2720)

ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred when processing the authorization request. Returning an error back to client. java.lang.NullPointerException
        at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest_aroundBody4(APIMTokenIssuer.java:147)
        at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest(APIMTokenIssuer.java:145)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.recoverFromConAppKeyConstraintViolation(AccessTokenDAOImpl.java:2261)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:292)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:106)
        at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:354)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.storeAccessToken(ResponseTypeHandlerUtil.java:648)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.persistAccessTokenInDB(ResponseTypeHandlerUtil.java:632)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateNewAccessToken(ResponseTypeHandlerUtil.java:521)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:193)
        at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:133)
        at org.wso2.carbon.identity.oauth2.authz.handlers.AccessTokenResponseTypeHandler.issue(AccessTokenResponseTypeHandler.java:43)
        at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.handleAuthorization(AuthorizationHandlerManager.java:105)
        at org.wso2.carbon.identity.oauth2.OAuth2Service.authorize(OAuth2Service.java:104)
        at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:2720)

Environment information

  • Product Version: IS-KM 5.10.0
  • Database: MySQL

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/f42be384bad35ae814ce96c5ea8299c3acd1f4a2/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java#L2503-L2505
[2] https://github.com/wso2/carbon-apimgt/blob/v6.6.163/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/issuers/APIMTokenIssuer.java#L135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rksk