Open HiroVodka opened 5 months ago
do you have a sample app? are you using Micronaut Security?
Hello, we are facing the same issue when interacting with a JWKS endpoint after upgrading to Micronaut 4.5.0. We've tried disabling the http-client to revert to the previous nimbus behaviour but now are getting
java.net.SocketException: Closed by interrupt
at java.base/java.net.Socket$SocketInputStream.read(Unknown Source)
at java.base/sun.security.ssl.SSLSocketInputRecord.read(Unknown Source)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(Unknown Source)
at java.base/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(Unknown Source)
at java.base/java.io.BufferedInputStream.fill(Unknown Source)
at java.base/java.io.BufferedInputStream.read1(Unknown Source)
at java.base/java.io.BufferedInputStream.implRead(Unknown Source)
at java.base/java.io.BufferedInputStream.read(Unknown Source)
at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
at java.base/sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:366)
at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:269)
at io.micronaut.security.token.jwt.signature.jwks.ResourceRetrieverJwksClient.lambda$load$0(ResourceRetrieverJwksClient.java:65)
at reactor.core.publisher.MonoCallable$MonoCallableSubscription.request(MonoCallable.java:137)
at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.request(FluxMapFuseable.java:171)
at reactor.core.publisher.MonoSubscribeOn$SubscribeOnSubscriber.trySchedule(MonoSubscribeOn.java:189)
at reactor.core.publisher.MonoSubscribeOn$SubscribeOnSubscriber.onSubscribe(MonoSubscribeOn.java:134)
at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onSubscribe(FluxMapFuseable.java:96)
at reactor.core.publisher.MonoCallable.subscribe(MonoCallable.java:48)
at reactor.core.publisher.Mono.subscribe(Mono.java:4568)
at reactor.core.publisher.MonoSubscribeOn$SubscribeOnSubscriber.run(MonoSubscribeOn.java:126)
at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$3(PropagatedContext.java:211)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.lang.VirtualThread.run(Unknown Source)
Worth noting that this issue happens much more reliably with the Nimbus implementation. Not sure if the root cause is the same. Looks like the Publisher is cancelled for some reason?
We have rolled back to Micronaut 4.4.3 for now where we are not facing this issue.
do you have steps to reproduce?
I have a hypothesis as we are supporting multiple jwks for the authentication. If micronaut security already used one jwks to authenticate the request, it will cancel other jwks fetching, thus ends up with this error log.
Here is a sample code to reproduce it: https://github.com/yibo-long/micronaut-http-client-failure
It requires having 3 cognito pools to have a more reproducible state. Tested with 2 pools and could only get the error logs sparsely.
Steps:
POOL_1
,POOL_2
, and POOL_3
. ./gradlew run
10:45:24.484 [virtual-executor4] ERROR i.m.s.t.j.s.j.ResourceRetrieverJwksClient - Exception loading JWK from xxx
java.net.SocketException: Closed by interrupt
at java.base/java.net.Socket$SocketInputStream.read(Socket.java:1106)
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:489)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:483)
at java.base/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70)
at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1461)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1066)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:291)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:347)
at java.base/java.io.BufferedInputStream.implRead(BufferedInputStream.java:420)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:399)
at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:827)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:759)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1690)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1599)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:223)
at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:366)
at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:269)
at io.micronaut.security.token.jwt.signature.jwks.ResourceRetrieverJwksClient.lambda$load$0(ResourceRetrieverJwksClient.java:65)
at reactor.core.publisher.MonoCallable$MonoCallableSubscription.request(MonoCallable.java:137)
at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.request(FluxMapFuseable.java:171)
at reactor.core.publisher.MonoSubscribeOn$SubscribeOnSubscriber.trySchedule(MonoSubscribeOn.java:189)
at reactor.core.publisher.MonoSubscribeOn$SubscribeOnSubscriber.onSubscribe(MonoSubscribeOn.java:134)
at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onSubscribe(FluxMapFuseable.java:96)
at reactor.core.publisher.MonoCallable.subscribe(MonoCallable.java:48)
at reactor.core.publisher.Mono.subscribe(Mono.java:4576)
at reactor.core.publisher.MonoSubscribeOn$SubscribeOnSubscriber.run(MonoSubscribeOn.java:126)
at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$3(PropagatedContext.java:211)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.lang.VirtualThread.run(VirtualThread.java:309)
Based on the above hypothesis, I checked micronaut-security code, but this doesn't seem to be picking up the first passed verification: https://github.com/micronaut-projects/micronaut-security/blob/422601f7ffb003e2f332965550bdbcd48e2bf84b/security-jwt/src/main/java/io/micronaut/security/token/jwt/nimbus/NimbusReactiveJsonWebTokenSignatureValidator.java#L46-L49
Expected Behavior
Authentication with Oauth2.0 should be no problem with the functionality provided by micronaut However, since the major version of micronaut is 4.x.x, errors occur very rarely during authentication.
Actual Behaviour
This error occurs when requesting the POST /oauth/token endpoint for Oauth authentication
Also, whenever an error occurs, this WARN is logged
Steps To Reproduce
Reproduction method unknown
In our environment, it happens very rarely when a user authenticates.
Environment Information
Example Application
No response
Version
4.3.6