Keycloak throws a NullPointerException on token exchange if the subject token was obtatined through client credentials.
Exception stack:
2022-06-20 14:56:23,965 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-34) AUTHENTICATE CLIENT 2022-06-20 14:56:23,965 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) client authenticator: client-secret 2022-06-20 14:56:23,966 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) client authenticator SUCCESS: client-secret 2022-06-20 14:56:23,966 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) Client cli authenticated by client-secret 2022-06-20 14:56:23,970 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-34)hibernate.connection.provider_disablesautocommit` was enabled. This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled. Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction.
2022-06-20 14:56:23,971 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-34) Hibernate RegisteredSynchronization successfully registered with JTA platform
2022-06-20 14:56:23,973 DEBUG [org.hibernate.SQL] (executor-thread-34) select resourcese0.ID as id1_600, resourcese0_.ALLOW_RS_REMOTE_MGMT as allow_rs2_600, resourcese0_.DECISION_STRATEGY as decision3_600, resourcese0_.POLICY_ENFORCE_MODE as policy_e4_600 from RESOURCESERVER resourcese0 where resourcese0_.ID=?
2022-06-20 14:56:23,974 DEBUG [org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl] (executor-thread-34) On call to EntityIdentifierReaderImpl#resolve, EntityKey was already known; should only happen on root returns with an optional identifier specified
2022-06-20 14:56:23,974 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Resolving attributes for [org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf]
2022-06-20 14:56:23,974 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attribute allowRemoteResourceManagement : value = false
2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (allowRemoteResourceManagement) - enhanced for lazy-loading? - false
2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attribute decisionStrategy : value = UNANIMOUS
2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (decisionStrategy) - enhanced for lazy-loading? - false
2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attribute policyEnforcementMode : value = ENFORCING
2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (policyEnforcementMode) - enhanced for lazy-loading? - false
2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Done materializing entity [org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf]
2022-06-20 14:56:23,975 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (executor-thread-34) Done entity load : org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf
2022-06-20 14:56:23,980 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-34) Uncaught server error: java.lang.NullPointerException
at org.keycloak.protocol.oidc.TokenManager.attachAuthenticationSession(TokenManager.java:542)
at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchangeClientToOIDCClient(DefaultTokenExchangeProvider.java:376)
at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchangeClientToClient(DefaultTokenExchangeProvider.java:339)
at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.tokenExchange(DefaultTokenExchangeProvider.java:237)
at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchange(DefaultTokenExchangeProvider.java:123)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:789)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:204)
at jdk.internal.reflect.GeneratedMethodAccessor355.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)`
Version
18.0.0
Expected behavior
Successful response containing an (access_token, refresh_token) pair.
Actual behavior
Error response with HTTP code 500 and a payload reading {"error":"unknown_error"} stemming from a NullPointerException in the backend.
How to Reproduce?
Start Keycloak with the token exchange feature enabled.
Create a confidential client with Service Account (client credentials grant) enabled.
Create a target client with a token exchange permissions enabled and a client policy referring the client created at step 2.
Perform a /token endpoint request using _clientid and _clientsecret of the client created at step 2.
Attempt to exchange the token using the urn:ietf:params:oauth:grant-type:token-exchange _granttype, and setting the client from step 3 as audience.
Anything else?
I looked at the source code and the error most probably stems from a null token session associated with a token obtained through the client-credentials grant.
Describe the bug
Keycloak throws a NullPointerException on token exchange if the subject token was obtatined through client credentials.
Exception stack:
2022-06-20 14:56:23,965 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-34) AUTHENTICATE CLIENT 2022-06-20 14:56:23,965 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) client authenticator: client-secret 2022-06-20 14:56:23,966 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) client authenticator SUCCESS: client-secret 2022-06-20 14:56:23,966 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) Client cli authenticated by client-secret 2022-06-20 14:56:23,970 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-34)hibernate.connection.provider_disablesautocommit` was enabled. This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled. Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction. 2022-06-20 14:56:23,971 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-34) Hibernate RegisteredSynchronization successfully registered with JTA platform 2022-06-20 14:56:23,973 DEBUG [org.hibernate.SQL] (executor-thread-34) select resourcese0.ID as id1_600, resourcese0_.ALLOW_RS_REMOTE_MGMT as allow_rs2_600, resourcese0_.DECISION_STRATEGY as decision3_600, resourcese0_.POLICY_ENFORCE_MODE as policy_e4_600 from RESOURCESERVER resourcese0 where resourcese0_.ID=? 2022-06-20 14:56:23,974 DEBUG [org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl] (executor-thread-34) On call to EntityIdentifierReaderImpl#resolve, EntityKey was already known; should only happen on root returns with an optional identifier specified 2022-06-20 14:56:23,974 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Resolving attributes for [org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf] 2022-06-20 14:56:23,974 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attributeallowRemoteResourceManagement: value = false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (allowRemoteResourceManagement) - enhanced for lazy-loading? - false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attributedecisionStrategy: value = UNANIMOUS 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (decisionStrategy) - enhanced for lazy-loading? - false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attributepolicyEnforcementMode: value = ENFORCING 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (policyEnforcementMode) - enhanced for lazy-loading? - false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Done materializing entity [org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf] 2022-06-20 14:56:23,975 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (executor-thread-34) Done entity load : org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf 2022-06-20 14:56:23,980 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-34) Uncaught server error: java.lang.NullPointerException at org.keycloak.protocol.oidc.TokenManager.attachAuthenticationSession(TokenManager.java:542) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchangeClientToOIDCClient(DefaultTokenExchangeProvider.java:376) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchangeClientToClient(DefaultTokenExchangeProvider.java:339) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.tokenExchange(DefaultTokenExchangeProvider.java:237) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchange(DefaultTokenExchangeProvider.java:123) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:789) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:204) at jdk.internal.reflect.GeneratedMethodAccessor355.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141) at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71) at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159) at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100) at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:829)`Version
18.0.0
Expected behavior
Successful response containing an (access_token, refresh_token) pair.
Actual behavior
Error response with HTTP code 500 and a payload reading
{"error":"unknown_error"}stemming from a NullPointerException in the backend.How to Reproduce?
/tokenendpoint request using _clientid and _clientsecret of the client created at step 2.urn:ietf:params:oauth:grant-type:token-exchange_granttype, and setting the client from step 3 as audience.Anything else?
I looked at the source code and the error most probably stems from a null token session associated with a token obtained through the client-credentials grant.