Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2789

OIDCSecurityContext deserialization issue

XMLWordPrintable

      I have a case where OidcSecurityContext is throwing null pointer on readObject method. Root cause of that is that idTokenString is null. It looks like issue in code. In org.wildfly.security.http.oidc.RequestAuthenticator#completeAuthentication method security context is created with idTokenString  being null

      protected void completeAuthentication(BearerTokenRequestAuthenticator bearer) {
        RefreshableOidcSecurityContext session = new RefreshableOidcSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), ----->null, ----->null, null);
        final OidcPrincipal<RefreshableOidcSecurityContext> principal = new OidcPrincipal<>(bearer.getToken().getPrincipalName(deployment), session);
        completeBearerAuthentication(principal);
        log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName());
    }

      Then when org.wildfly.security.http.oidc.OidcSecurityContext#readObject will be executed to fill object null pointer will be thrown as idTokenString  is null. Shouldn't be there some check to not decode idTokenString if it is not set. Especially when we know that it might be null because, in some cases, context is build using hardcoded null values.

      Configuration is done in following way

       

      /subsystem=elytron/token-realm=token-realm:add(principal-claim="preferred_username", oauth2-introspection={client-id="*****", client-secret="${OIDC_CLIENT_SECRET}", introspection-url="${KEYCLOAK_AUTH_SERVER_URL}/realms/*****/protocol/openid-connect/token/introspect", client-ssl-context=keycloak-client-ssl-context, host-name-verification-policy="ANY"})
/subsystem=elytron/custom-realm=custom-realm:add(module=org.wildfly.security.elytron-http-oidc, class-name=org.wildfly.security.http.oidc.OidcSecurityRealm)
/subsystem=elytron/distributed-realm=OidcRealm:add(realms=[token-realm, custom-realm])
 

      I find out that this is happening on local ActiveMQ. In the message security context is passed as bytes to decode and then decoding is happening. In case of only bearer token  OidcSecurityContext.readObject method is throwing null pointer exception. This is very specific scenario but it looks like bug in code.

              rh-ee-prpaul Prarthona Paul (Inactive)
              skoczo Adrian Skoczylas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: