sbm-eval / Secret_Breach-Survey

0 stars 0 forks source link

raj_10 #264

Open shahriar-raj opened 1 month ago

shahriar-raj commented 1 month ago

Describe the bug

Keycloak throws a NullPointerException on token exchange if the subject token was obtatined through client credentials.

Exception stack: 2022-06-20 14:56:23,965 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-34) AUTHENTICATE CLIENT 2022-06-20 14:56:23,965 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) client authenticator: client-secret 2022-06-20 14:56:23,966 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) client authenticator SUCCESS: client-secret 2022-06-20 14:56:23,966 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-34) Client cli authenticated by client-secret 2022-06-20 14:56:23,970 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-34)hibernate.connection.provider_disablesautocommit` was enabled. This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled. Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction. 2022-06-20 14:56:23,971 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-34) Hibernate RegisteredSynchronization successfully registered with JTA platform 2022-06-20 14:56:23,973 DEBUG [org.hibernate.SQL] (executor-thread-34) select resourcese0.ID as id1_600, resourcese0_.ALLOW_RS_REMOTE_MGMT as allow_rs2_600, resourcese0_.DECISION_STRATEGY as decision3_600, resourcese0_.POLICY_ENFORCE_MODE as policy_e4_600 from RESOURCESERVER resourcese0 where resourcese0_.ID=? 2022-06-20 14:56:23,974 DEBUG [org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl] (executor-thread-34) On call to EntityIdentifierReaderImpl#resolve, EntityKey was already known; should only happen on root returns with an optional identifier specified 2022-06-20 14:56:23,974 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Resolving attributes for [org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf] 2022-06-20 14:56:23,974 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attribute allowRemoteResourceManagement : value = false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (allowRemoteResourceManagement) - enhanced for lazy-loading? - false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attribute decisionStrategy : value = UNANIMOUS 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (decisionStrategy) - enhanced for lazy-loading? - false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Processing attribute policyEnforcementMode : value = ENFORCING 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Attribute (policyEnforcementMode) - enhanced for lazy-loading? - false 2022-06-20 14:56:23,975 DEBUG [org.hibernate.engine.internal.TwoPhaseLoad] (executor-thread-34) Done materializing entity [org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf] 2022-06-20 14:56:23,975 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (executor-thread-34) Done entity load : org.keycloak.authorization.jpa.entities.ResourceServerEntity#936c637c-3302-4b5c-a7d2-37e000dfb3cf 2022-06-20 14:56:23,980 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-34) Uncaught server error: java.lang.NullPointerException at org.keycloak.protocol.oidc.TokenManager.attachAuthenticationSession(TokenManager.java:542) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchangeClientToOIDCClient(DefaultTokenExchangeProvider.java:376) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchangeClientToClient(DefaultTokenExchangeProvider.java:339) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.tokenExchange(DefaultTokenExchangeProvider.java:237) at org.keycloak.protocol.oidc.DefaultTokenExchangeProvider.exchange(DefaultTokenExchangeProvider.java:123) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:789) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:204) at jdk.internal.reflect.GeneratedMethodAccessor355.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141) at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71) at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159) at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100) at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:829)`

Version

18.0.0

Expected behavior

Successful response containing an (access_token, refresh_token) pair.

Actual behavior

Error response with HTTP code 500 and a payload reading {"error":"unknown_error"} stemming from a NullPointerException in the backend.

How to Reproduce?

  1. Start Keycloak with the token exchange feature enabled.
  2. Create a confidential client with Service Account (client credentials grant) enabled.
  3. Create a target client with a token exchange permissions enabled and a client policy referring the client created at step 2.
  4. Perform a /token endpoint request using _clientid and _clientsecret of the client created at step 2.
  5. Attempt to exchange the token using the urn:ietf:params:oauth:grant-type:token-exchange _granttype, and setting the client from step 3 as audience.

Anything else?

I looked at the source code and the error most probably stems from a null token session associated with a token obtained through the client-credentials grant.