You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the issue:
During CON_APP_KEY recovery flow, it gets tokReqMsgCtx from a thread local and pass to token issuer at [1]. But this thread local is not populated in the hybrid flow.
In the default token issuers in IS, this tokReqMsgCtx is not utilized, but in IS-KM, there is a token issuer which uses this. Ref [2].
How to reproduce:
(The steps are longer since it is hard to get CON_APP_KEY violations in a simple setup. Therefore we are setting up JWT token type and two IS nodes)
Configure an APIM 3.1 + IS-KM 5.10 setup sharing the DBs (two IS instances are required)
Create an application from apim dev portal and set the token type to JWT
Login to that app using code grant, accent consent always and obtain the commonAuthID cookie value from browser.
Invoke the following command (which runs two curls to two IS nodes) multiple times
Make sure to update the client id and commonauthID cookie value of both curl commands and make sure two commands are using ports of two IS nodes
The same can be reproduced with esponse_type=id_token as well
ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred when processing the authorization request. Returning an error back to client. java.lang.NullPointerException
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest_aroundBody4(APIMTokenIssuer.java:147)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest(APIMTokenIssuer.java:145)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.recoverFromConAppKeyConstraintViolation(AccessTokenDAOImpl.java:2261)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:292)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:106)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:354)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.storeAccessToken(ResponseTypeHandlerUtil.java:648)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.persistAccessTokenInDB(ResponseTypeHandlerUtil.java:632)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateNewAccessToken(ResponseTypeHandlerUtil.java:521)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:193)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:133)
at org.wso2.carbon.identity.oauth2.authz.handlers.IDTokenResponseTypeHandler.issue(IDTokenResponseTypeHandler.java:38)
at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.handleAuthorization(AuthorizationHandlerManager.java:105)
at org.wso2.carbon.identity.oauth2.OAuth2Service.authorize(OAuth2Service.java:104)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:2720)
ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred when processing the authorization request. Returning an error back to client. java.lang.NullPointerException
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest_aroundBody4(APIMTokenIssuer.java:147)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.renewAccessTokenPerRequest(APIMTokenIssuer.java:145)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.recoverFromConAppKeyConstraintViolation(AccessTokenDAOImpl.java:2261)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:292)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:106)
at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.insertAccessToken(AccessTokenDAOImpl.java:354)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.storeAccessToken(ResponseTypeHandlerUtil.java:648)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.persistAccessTokenInDB(ResponseTypeHandlerUtil.java:632)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateNewAccessToken(ResponseTypeHandlerUtil.java:521)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:193)
at org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil.generateAccessToken(ResponseTypeHandlerUtil.java:133)
at org.wso2.carbon.identity.oauth2.authz.handlers.AccessTokenResponseTypeHandler.issue(AccessTokenResponseTypeHandler.java:43)
at org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.handleAuthorization(AuthorizationHandlerManager.java:105)
at org.wso2.carbon.identity.oauth2.OAuth2Service.authorize(OAuth2Service.java:104)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:2720)
Describe the issue:
During CON_APP_KEY recovery flow, it gets tokReqMsgCtx from a thread local and pass to token issuer at [1]. But this thread local is not populated in the hybrid flow.
In the default token issuers in IS, this tokReqMsgCtx is not utilized, but in IS-KM, there is a token issuer which uses this. Ref [2].
How to reproduce:
(The steps are longer since it is hard to get CON_APP_KEY violations in a simple setup. Therefore we are setting up JWT token type and two IS nodes)
esponse_type=id_token
as wellcurl -kv 'https://localhost:9443/oauth2/authorize?nonce=a&state=aaa&response_type=token&redirect_uri=https%3A%2F%2Flocalhost&scope=openid&client_id=<client_id>' -H 'Cookie: commonAuthId=<commonAuthId>' & curl -kv 'https://localhost:9444/oauth2/authorize?nonce=a&state=aaa&response_type=token&redirect_uri=https%3A%2F%2Flocalhost&scope=openid&client_id=<client_id>' -H 'Cookie: commonAuthId=<commonAuthId>'
Environment information
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/f42be384bad35ae814ce96c5ea8299c3acd1f4a2/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/AccessTokenDAOImpl.java#L2503-L2505
[2] https://github.com/wso2/carbon-apimgt/blob/v6.6.163/components/apimgt/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/issuers/APIMTokenIssuer.java#L135
The text was updated successfully, but these errors were encountered: