Samlv2/acl failing with NullPointerException in validateAuthorizeRequest

[karice]

samlv2/acl failing with NullPointerException in validateAuthorizeRequest

Description

NullPointerException when trying to authenticate via SAML and Auth0.

Steps to reproduce

Steps to reproduce the behavior:

1. Navigate to FusionAuth Hosted UI
2. Click Sign In With SAML
3. Sign In To Auth0
4. Returned to FusionAuth with samlv2/acs error and NullPointerException
5. See error

Expected behavior

User should be signed in.

Screenshots

If applicable, add screenshots to help explain your problem.

Platform

Docker container FusionAuth 1.11.0 Chrome

Additional context

Auth0 Mappings: { "mappings": { "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "groups": "http://schemas.xmlsoap.org/claims/Group" }, "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ], "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" }

Auth0 Application Callback URL: http://localhost:9011/samlv2/acs

Request:

POST http://localhost:9011/samlv2/acs Status: 500 Payload: SAMLResponse: ... RelayState: client_id=49f9e218-7263-41fc-850d-1fae8c865d62&code_challenge=&code_challenge_method=&metaData.device.name=Mac%20Chrome&metaData.device.type=BROWSER&nonce=&redirect_uri=http%3A%2F%2Flocalhost&response_mode=&response_type=code&scope=&state=&tenantId=e2fce081-a9b1-4fda-b5ff-71009f7fb212&timezone=America%2FChicago&user_code=&identityProviderId=11df3e2e-d49b-47d7-86a7-2bbb3b367a11

Stack:

fusionauth_1 | Nov 21, 2019 8:41:14.578 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown fusionauth_1 | java.lang.NullPointerException: null fusionauth_1 | at io.fusionauth.api.service.oauth2.DefaultOAuthService.validateAuthorizeRequest(DefaultOAuthService.java:563) fusionauth_1 | at io.fusionauth.app.action.oauth2.BaseOAuthAction.validateAndHandleErrors(BaseOAuthAction.java:501) fusionauth_1 | at io.fusionauth.app.action.oauth2.CallbackAction.get(CallbackAction.java:105) fusionauth_1 | at io.fusionauth.app.action.oauth2.CallbackAction.post(CallbackAction.java:164) fusionauth_1 | at sun.reflect.GeneratedMethodAccessor227.invoke(Unknown Source) fusionauth_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) fusionauth_1 | at java.lang.reflect.Method.invoke(Method.java:498) fusionauth_1 | at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414) fusionauth_1 | at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79) fusionauth_1 | at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at io.fusionauth.app.primeframework.FrontEndTenantWorkflow.perform(FrontEndTenantWorkflow.java:168) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at io.fusionauth.app.primeframework.CORSFilter.handleSimpleCORS(CORSFilter.java:445) fusionauth_1 | at io.fusionauth.app.primeframework.CORSFilter.doFilter(CORSFilter.java:242) fusionauth_1 | at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:48) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:88) fusionauth_1 | at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44) fusionauth_1 | at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50) fusionauth_1 | at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84) fusionauth_1 | at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) fusionauth_1 | at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) fusionauth_1 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) fusionauth_1 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) fusionauth_1 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) fusionauth_1 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) fusionauth_1 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) fusionauth_1 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) fusionauth_1 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) fusionauth_1 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) fusionauth_1 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) fusionauth_1 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) fusionauth_1 | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) fusionauth_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) fusionauth_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) fusionauth_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) fusionauth_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) fusionauth_1 | at java.lang.Thread.run(Thread.java:748) fusionauth_1 | Nov 21, 2019 8:41:31.902 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown fusionauth_1 | java.lang.NullPointerException: null fusionauth_1 | at io.fusionauth.api.service.oauth2.DefaultOAuthService.validateAuthorizeRequest(DefaultOAuthService.java:563) fusionauth_1 | at io.fusionauth.app.action.oauth2.BaseOAuthAction.validateAndHandleErrors(BaseOAuthAction.java:501) fusionauth_1 | at io.fusionauth.app.action.oauth2.CallbackAction.get(CallbackAction.java:105) fusionauth_1 | at io.fusionauth.app.action.oauth2.CallbackAction.post(CallbackAction.java:164) fusionauth_1 | at sun.reflect.GeneratedMethodAccessor227.invoke(Unknown Source) fusionauth_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) fusionauth_1 | at java.lang.reflect.Method.invoke(Method.java:498) fusionauth_1 | at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414) fusionauth_1 | at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79) fusionauth_1 | at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at io.fusionauth.app.primeframework.FrontEndTenantWorkflow.perform(FrontEndTenantWorkflow.java:168) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at io.fusionauth.app.primeframework.CORSFilter.handleSimpleCORS(CORSFilter.java:445) fusionauth_1 | at io.fusionauth.app.primeframework.CORSFilter.doFilter(CORSFilter.java:242) fusionauth_1 | at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:48) fusionauth_1 | at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) fusionauth_1 | at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:88) fusionauth_1 | at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44) fusionauth_1 | at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50) fusionauth_1 | at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84) fusionauth_1 | at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) fusionauth_1 | at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) fusionauth_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) fusionauth_1 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) fusionauth_1 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) fusionauth_1 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) fusionauth_1 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) fusionauth_1 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) fusionauth_1 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) fusionauth_1 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) fusionauth_1 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) fusionauth_1 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) fusionauth_1 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) fusionauth_1 | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) fusionauth_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) fusionauth_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) fusionauth_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) fusionauth_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) fusionauth_1 | at java.lang.Thread.run(Thread.java:748)

[robotdan]

Thanks for opening this issue @karice .

The exception is occurring while we are attempting to validate the request origin. I don't know yet how this is possible unless the Referrer or Origin HTTP header is not what we expect.

Can you try removing your two Authorized Origin URLs from your configuration and re-test to see if the symptom persists? This may help us narrow down the issue.

[karice]

Good call. That fixed it for me. I added those trying to work past another issue and forgot to remove them. It's all working now. Thanks.

[robotdan]

Good call. That fixed it for me. I added those trying to work past another issue and forgot to remove them. It's all working now. Thanks.

Excellent. So we have a bug in there somewhere. Glad you have a work around for now!

[robotdan]

@karice In your Docker configuration do you have any proxy configured that would be setting the X-Forwarded-Host header, or be modifying the Referer or Origin headers?

[robotdan]

I figured it out. The user agent (browser) can send "null" in the Origin header when the HTTP schema doesn't match, and perhaps other times. The w3 spec does account for this scenario I found out.

In this case I think it is because the Auth0 SAML endpoint is https and your local dev box is http. The origin header came in as "null" and we weren't expecting that so we went ahead and attempted to compare it against your configured origins and took an exception because the "null" URI doesn't have a scheme or host.

Thanks for reporting this, it will be fixed in the upcoming release.