search

wildfly / wildfly.org

Source code for WildFly Website (wildfly.org)
https://www.wildfly.org/
15 stars 91 forks source link

OidcSecurityContext NullPointer issue #629

Closed skoczo closed 1 month ago

skoczo commented 2 months ago

I have a case where OidcSecurityContext is throwing null pointer on readObject method. Root cause of that is that idTokenString is null. It looks like issue in code. In org.wildfly.security.http.oidc.RequestAuthenticator#completeAuthentication method security context is created with idTokenString being null

protected void completeAuthentication(BearerTokenRequestAuthenticator bearer) {
        RefreshableOidcSecurityContext session = new RefreshableOidcSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), ----->null, ----->null, null);
        final OidcPrincipal<RefreshableOidcSecurityContext> principal = new OidcPrincipal<>(bearer.getToken().getPrincipalName(deployment), session);
        completeBearerAuthentication(principal);
        log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName());
    }

Then when org.wildfly.security.http.oidc.OidcSecurityContext#readObject will be executed to fill object null pointer will be thrown as idTokenString is null. Shouldn't be there some check to not decode idTokenString if it is not set. Especially when we know that it might be null because, in some cases, context is build using hardcoded null values.

Configuration is done in following way


/subsystem=elytron/token-realm=token-realm:add(principal-claim="preferred_username", oauth2-introspection={client-id="*****", client-secret="${OIDC_CLIENT_SECRET}", introspection-url="${KEYCLOAK_AUTH_SERVER_URL}/realms/*****/protocol/openid-connect/token/introspect", client-ssl-context=keycloak-client-ssl-context, host-name-verification-policy="ANY"})
/subsystem=elytron/custom-realm=custom-realm:add(module=org.wildfly.security.elytron-http-oidc, class-name=org.wildfly.security.http.oidc.OidcSecurityRealm)
/subsystem=elytron/distributed-realm=OidcRealm:add(realms=[token-realm, custom-realm])```

I just find out that this is happening on local ActiveMQ. In the message security context is passed as bytes to decode and then decoding is happening. In case of only bearer token  OidcSecurityContext.readObject method is throwing null pointer exception. This is very specific scenario but it looks like bug in code.
yersan commented 1 month ago

Hello @skoczo, thanks for using WildFly.

This repository represents the WildFly Website available at www.wildfly.org, so it is not the correct place to report or discuss WildFly issues.

If you have found a potential bug, please report it at the WildFly issue tracker:

If you need any other kind of assistance, there are also other communication channels:

There, WildFly community members or WildFly team can assist you with your issues. This issue will be now closed, thanks!