Issuer is not set as JWT for service providers when the config is enabled

[vishmi49]

Description

Issuer is not set as JWT for service providers when the config is enabled. If the token persistence configs are enabled with this feature, users cannot login to portals if a tenant user tries to login to the devportal of super tenant.

Publisher portal

Steps to Reproduce

Prerequisites

1. Add below config to deployment.toml file of the fresh pack

[apim.oauth_config]

enable_jwt_for_portals = true

2. Start APIM
3. Login to Management console
4. Navigate to -> Service providers list -> Edit the devportal sp -> Inbound Authentication Configuration -> OAuth/OpenId Connect Configuration ->Edit
5. Check the token issuer

Affected Component

APIM

Version

4.3.0

Environment Details (with versions)

No response

Relevant Log Output

[2024-04-01 21:46:26,723] ERROR - [introspect] Servlet.service() for servlet [introspect] in context with path [/devportal] threw exception [An exception occurred processing [/services/login/introspect.jsp] at line [81]

78:         Map introspect = gson.fromJson(introspectResult.body(), Map.class);
79:         String username = (String) introspect.get("username");
80:         Pattern regPattern = Pattern.compile("(@)");
81:         boolean found = regPattern.matcher(username).find();
82:         int count = !found ? 0 : (int) username.chars().filter(ch -> ch == '@').count();
83:         if (isEnableEmailUserName || (username.indexOf("@carbon.super") > 0 && count <= 1)) {
84:             introspect.put("username", username.replace("@carbon.super", ""));

Stacktrace:] with root cause
java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null
    at java.util.regex.Matcher.getTextLength(Matcher.java:1769) ~[?:?]
    at java.util.regex.Matcher.reset(Matcher.java:415) ~[?:?]
    at java.util.regex.Matcher.<init>(Matcher.java:252) ~[?:?]
    at java.util.regex.Pattern.matcher(Pattern.java:1134) ~[?:?]
    at org.apache.jsp.services.login.introspect_jsp._jspService(introspect_jsp.java:205) ~[?:?]
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) ~[tomcat_9.0.85.wso2v1.jar:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) ~[tomcat-servlet-api_9.0.85.wso2v1.jar:?]
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) ~[tomcat_9.0.85.wso2v1.jar:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) ~[tomcat-servlet-api_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) ~[org.wso2.carbon.ui_4.9.26.beta.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
    at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167) ~[org.wso2.carbon.identity.authz.valve_1.8.41.jar:?]
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118) ~[org.wso2.carbon.identity.auth.valve_1.8.41.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137) ~[org.wso2.carbon.tomcat.ext_4.9.26.beta.jar:?]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.85.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat_9.0.85.wso2v1.jar:?]
    at java.lang.Thread.run(Thread.java:833) ~[?:?]

ERROR - [introspect] Servlet.service() for servlet [introspect] in context with path [/devportal] threw exception [java.lang.NullPointerException] with root cause
java.lang.NullPointerException: null

Related Issues

No response

Suggested Labels

No response

[chamilaadhi]

@vishmi49 did you add all the configurations mentioned in https://apim.docs.wso2.com/en/4.3.0/install-and-setup/setup/security/securing-api-m-web-portals/#enable-jwt-for-web-portals? From the reproducing steps i could see only one config

[tharikaGitHub]

Hi All,

The reproducing steps are as follows.

1. Start a fresh default pack without any configuration changes. In this case - APIM 4.3.0-beta.
2. Access the Management Console (/carbon) and create a new tenant, say wso2.com.
3. Access the developer portal and click on "SIGN-IN". (Logging in is not required) This will create a Service Provider for the Devportal App.
4. Access the publisher portal and similarly click on "SIGN-IN". This will create a Service Provider for the Publisher App.
5. If you access both the SP apps corresponding to the 2 portals above, you will see that no Token Issuer is selected. This means by default the token issuer type is "Default".
6. Now shut down the server and configure it for disabling token persistence by adding the below configuration to the deployment.toml.

   
   [oauth]
   add_tenant_domain_to_access_token = true

[oauth.token_persistence] enable=false

[oauth.revoked_token_headers_in_response] enable=false

[[oauth.extensions.token_types]] name = "JWT" issuer = "org.wso2.is.key.manager.tokenpersistence.issuer.ExtendedJWTTokenIssuer"

[transport.https.properties] maxHttpHeaderSize = "12288"

[apim.oauth_config] enable_jwt_for_portals = true

7. Restart the server.
8. Access the Devportal and click on carbon.super from the Tenant selection.
9. Login to the developer portal using the wso2.com tenant's credentials.
10. You will observer the errors mentioned in the description above.

However this is the expected behaviour because the SPs were created before enabling the token persistence configuration. To fix it, we need to follow the steps in the documentation [1] for an existing deployment.

As this is not a bug, I will close the issue.

[1] https://apim.docs.wso2.com/en/4.3.0/install-and-setup/setup/security/securing-api-m-web-portals/#enable-jwt-for-web-portals

Thanks,
Tharika.