search

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.16k stars 599 forks source link

Private Key Jwt - SRVE8094W: WARNING: Cannot set header. Response already committed. #25275

Open c00crane opened 1 year ago

c00crane commented 1 year ago

When I enable private key jwt in the openidconnectclient or oidcLogin configs, I see "SRVE8094W: WARNING: Cannot set header. Response already committed. " errors in the server side logs.

[5/15/23, 15:04:53:469 CDT] 00000056 io.openliberty.security.oidcclientcore.token.TokenRequestor  I BETA: A beta method has been invoked for the class io.openliberty.security.oidcclientcore.token.TokenRequestor for the first time.
[5/15/23, 15:04:54:563 CDT] 00000056 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "io.openliberty.security.oidcclientcore.http.BadPostRequestException: {"error_description":"CWWKS1406E: The token request had an invalid client credential. The request URI was \/oidc\/endpoint\/OidcConfigSample_RS256\/token.","error":"invalid_request"} com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler 115" at ffdc_23.05.15_15.04.54.0.log
[5/15/23, 15:04:54:566 CDT] 00000056 curity.openidconnect.clients.common.AuthorizationCodeHandler E CWWKS1708E: The OpenID Connect client [client_RS256] is unable to contact the OpenID Connect provider at [https://localhost:8920/oidc/endpoint/OidcConfigSample_RS256/token] to receive an ID token due to [{"error_description":"CWWKS1406E: The token request had an invalid client credential. The request URI was \/oidc\/endpoint\/OidcConfigSample_RS256\/token.","error":"invalid_request"}].
[5/15/23, 15:04:54:639 CDT] 00000056 com.ibm.ws.webcontainer.srt                                  W SRVE8094W: WARNING: Cannot set header. Response already committed.  Stack trace of errant attempt to set header: 
        at com.ibm.ws.webcontainer40.srt.SRTServletResponse40.addCookie(SRTServletResponse40.java:107)
        at [internal classes].(Unknown Source)

socialRspAlreadyComm.zip oidcRspAlreadyComm.zip

ayoho commented 1 year ago

This one's not limited to just private key JWT scenarios. I also see this running the Social_BasicConfigTests_badClientSecret test in the com.ibm.ws.security.social_fat.LibertyOP.1 bucket.

c00crane commented 1 year ago

I moved the response committed checks from individual test cases to the @BeforeClass methods in 

com.ibm.ws.security.oidc.client_fat.3/fat/src/com/ibm/ws/security/openidconnect/client/fat/IBM/OidcClientPrivateKeyJwtTests.java
com.ibm.ws.security.social_fat.LibertyOP.3/fat/src/com/ibm/ws/security/social/fat/LibertyOP/LibertyOP_Social_PrivateKeyJwtTests.java

When this is updated, could you remove this line?

clientServer.addIgnoredServerExceptions(MessageConstants.SRVE8094W_CANNOT_SET_HEADER_RESPONSE_COMMITTED, MessageConstants.SRVE8115W_CANNOT_SET_HEADER_RESPONSE_COMMITTED);