Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.x NPE observed when refresh access tokens are not allowed for users using OIDC security provider #8335

Closed
tirunagaris opened this issue Feb 6, 2024 · 3 comments
Closed

4.x NPE observed when refresh access tokens are not allowed for users using OIDC security provider #8335

tirunagaris opened this issue Feb 6, 2024 · 3 comments
Assignees
@Verdent
Labels
4.x Version 4.x bug Something isn't working P2 security
Milestone
4.0.6

Comments

@tirunagaris
Copy link

Environment Details

  • Helidon Version: 4.0.4
  • Helidon MP
  • JDK version: JDK 21
  • OS: Windows
  • Docker version (if applicable):

Problem Description

Our application is configured with OIDC security provider and migrated from Helidon MP 3.2.3 to 4.0.4 version;
Post migration, observing NPE when we try to login on IdP login screen and its redirected to "redirect-uri". (This is observed only on first time login and next time its not asking credentials)
Expected behavior: Post login, protected resource should be accessible with NPE in logs.
Below is the stack trace:

io.helidon.security.providers.oidc.OidcFeature VirtualThread[#92,[0x6d056374 0x1f4b6bcd] WebServer socket]/runnable@ForkJoinPool-1-worker-13: Failed to process OIDC request
java.lang.NullPointerException: Cannot invoke "String.getBytes(java.nio.charset.Charset)" because "it" is null
	at io.helidon.security.providers.oidc.common.OidcCookieHandler.lambda$new$7(OidcCookieHandler.java:93)
	at io.helidon.security.providers.oidc.common.OidcCookieHandler.createCookie(OidcCookieHandler.java:118)
	at io.helidon.security.providers.oidc.OidcFeature.processJsonResponse(OidcFeature.java:484)
	at io.helidon.security.providers.oidc.OidcFeature.processCodeWithTenant(OidcFeature.java:396)
	at io.helidon.security.providers.oidc.OidcFeature.processCode(OidcFeature.java:373)
	at io.helidon.security.providers.oidc.OidcFeature.lambda$processOidcRedirect$9(OidcFeature.java:365)
	at java.base/java.util.Optional.ifPresentOrElse(Optional.java:196)
	at io.helidon.common.mapper.OptionalValue.ifPresentOrElse(OptionalValue.java:173)
	at io.helidon.security.providers.oidc.OidcFeature.processOidcRedirect(OidcFeature.java:365)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.doRoute(HttpRouting.java:668)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:627)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:605)
	at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:121)
	at io.helidon.webserver.observe.metrics.MetricsFeature.lambda$configureVendorMetrics$2(MetricsFeature.java:90)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.webserver.security.SecurityContextFilter.filter(SecurityContextFilter.java:88)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.common.context.Contexts.runInContext(Contexts.java:117)
	at io.helidon.webserver.context.ContextRoutingFeature.filter(ContextRoutingFeature.java:50)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.webserver.http.Filters.executeFilters(Filters.java:87)
	at io.helidon.webserver.http.Filters.lambda$filter$0(Filters.java:83)
	at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
	at io.helidon.webserver.http.Filters.filter(Filters.java:83)
	at io.helidon.webserver.http.HttpRouting.route(HttpRouting.java:109)
	at io.helidon.webserver.http1.Http1Connection.route(Http1Connection.java:357)
	at io.helidon.webserver.http1.Http1Connection.handle(Http1Connection.java:194)
	at io.helidon.webserver.ConnectionHandler.run(ConnectionHandler.java:165)
	at io.helidon.common.task.InterruptableTask.call(InterruptableTask.java:47)
	at io.helidon.webserver.ThreadPerTaskExecutor$ThreadBoundFuture.run(ThreadPerTaskExecutor.java:239)
	at java.base/java.lang.VirtualThread.run(VirtualThread.java:309)

Steps to reproduce

Configure the application with below OIDC parameters and try to access an protected resource.

  • IdP login screen is shown; provide credentials and observe the redirection to redirect-uri.
  • Post this screen is blank; found the NPE in logs.
    `providers:
    • abac:
    • oidc:
      header-use: true
      identity-uri: "${security.properties.idcs-uri}"
      client-id: "${security.properties.idcs-client-id}"
      client-secret: "${security.properties.idcs-client-secret}"
      audience: "${security.properties.idcs-uri}"
      scope-audience: "https://localhost:8001/"
      redirect-uri: "/sr/test/topology"
      token-endpoint-auth: CLIENT_SECRET_POST
      cookie-name: "JSESSIONID"
      cookie-same-site: "LAX"
      logout-enabled: true
      logout-uri: "/custom/logout"
      post-logout-uri: "/greet/WelcomeUser"
      validate-jwt-with-jwk: false
      cookie-encryption-password: "lpmaster"
      oidc-metadata:
      resource:
      uri: ${security.properties.idcs-uri}/.well-known/openid-configuration
    • idcs-role-mapper:
      multitenant: false
      oidc-config:
      # we must repeat IDCS configuration, as in this case
      # IDCS serves both as open ID connect authenticator and
      # as a role mapper. Using minimal configuration here
      client-id: "${security.properties.idcs-client-id}"
      client-secret: "${security.properties.idcs-client-secret}"
      identity-uri: "${security.properties.idcs-uri}"`
@Verdent Verdent self-assigned this Feb 6, 2024
@Verdent Verdent added bug Something isn't working security 4.x Version 4.x labels Feb 6, 2024
@Verdent Verdent mentioned this issue Feb 6, 2024
Merged
@tirunagaris
Copy link
Author

Upgraded to Helidon 4.0.5 with same configuration and getting below exception always; not allowing to proceed further.

 Failed to read JSON from response
java.lang.IllegalStateException: Nonce is required to be present in the access token
	at io.helidon.security.providers.oidc.OidcFeature.lambda$processJsonResponse$11(OidcFeature.java:492)
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.helidon.security.providers.oidc.OidcFeature.processJsonResponse(OidcFeature.java:492)
	at io.helidon.security.providers.oidc.OidcFeature.processCodeWithTenant(OidcFeature.java:425)
	at io.helidon.security.providers.oidc.OidcFeature.processCode(OidcFeature.java:382)
	at io.helidon.security.providers.oidc.OidcFeature.lambda$processOidcRedirect$9(OidcFeature.java:374)
	at java.base/java.util.Optional.ifPresentOrElse(Optional.java:196)
	at io.helidon.common.mapper.OptionalValue.ifPresentOrElse(OptionalValue.java:173)
	at io.helidon.security.providers.oidc.OidcFeature.processOidcRedirect(OidcFeature.java:374)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.doRoute(HttpRouting.java:668)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:627)
	at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:605)
	at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:121)
	at io.helidon.webserver.observe.metrics.MetricsFeature.lambda$configureVendorMetrics$2(MetricsFeature.java:90)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.webserver.security.SecurityContextFilter.filter(SecurityContextFilter.java:88)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.common.context.Contexts.runInContext(Contexts.java:117)
	at io.helidon.webserver.context.ContextRoutingFeature.filter(ContextRoutingFeature.java:50)
	at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
	at io.helidon.webserver.http.Filters.executeFilters(Filters.java:87)
	at io.helidon.webserver.http.Filters.lambda$filter$0(Filters.java:83)
	at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
	at io.helidon.webserver.http.Filters.filter(Filters.java:83)
	at io.helidon.webserver.http.HttpRouting.route(HttpRouting.java:109)
	at io.helidon.webserver.http1.Http1Connection.route(Http1Connection.java:357)
	at io.helidon.webserver.http1.Http1Connection.handle(Http1Connection.java:194)
	at io.helidon.webserver.ConnectionHandler.run(ConnectionHandler.java:165)
	at io.helidon.common.task.InterruptableTask.call(InterruptableTask.java:47)
	at io.helidon.webserver.ThreadPerTaskExecutor$ThreadBoundFuture.run(ThreadPerTaskExecutor.java:239)
	at java.base/java.lang.VirtualThread.run(VirtualThread.java:309)

@Verdent Verdent added the P2 label Feb 8, 2024
@Verdent Verdent added this to the 4.0.6 milestone Feb 15, 2024
@Verdent
Copy link
Member

Verdent commented Feb 15, 2024

I have created diffrerent issue for this nonce problem, as it is not related to this issue. See #8386

@Verdent
Copy link
Member

Verdent commented Feb 15, 2024

This issue is fixed

@Verdent Verdent closed this as completed Feb 15, 2024
@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Closed in Backlog Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Verdent Verdent

Labels
4.x Version 4.x bug Something isn't working P2 security
Projects
Backlog
Archived in project
Milestone
4.0.6
Development

No branches or pull requests
2 participants
@Verdent @tirunagaris