-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Description
Add null guard to clientAssertionState.getClientAssertionType() when checking for SUPPORTED_ASSERTION_TYPES.
Discussion
No response
Motivation
FederatedJWTClientAuthenticator.authenticateClient(..) method throws an NPE if the clientAssertionState.getClientAssertionType() returns null.
Details
2025-09-29 22:13:42,053 INFO [org.keycloak.events] (executor-thread-1) type="LOGIN", realmId="bdd5d662-6486-4b7b-be05-b1f006a527f9", realmName="abca-demo", clientId="abca-client", userId="e7378ec3-2b9e-4c20-a3c4-392332c27f39", sessionId="ea1f9547-2942-82f9-2971-91c58a1c16df", ipAddress="127.0.0.1", auth_method="openid-connect", token_id="onrtro:6bd44f00-8f85-cfab-ff7c-90b8680a1c52", grant_type="password", refresh_token_type="Refresh", scope="profile email", refresh_token_id="2d5cf9be-2b70-bb2a-ecf2-3b7b51c043de", client_auth_method="client-attestation", username="tester", authSessionParentId="ea1f9547-2942-82f9-2971-91c58a1c16df", authSessionTabId="mGAgK2qz1nc" 2025-09-29 22:14:00,425 WARN [org.keycloak.authentication.authenticators.client.FederatedJWTClientAuthenticator] (executor-thread-1) Authentication failed: java.lang.NullPointerException: Cannot invoke "Object.equals(Object)" because "o" is null at java.base/java.util.ImmutableCollections$Set12.contains(ImmutableCollections.java:817) at org.keycloak.authentication.authenticators.client.FederatedJWTClientAuthenticator.authenticateClient(FederatedJWTClientAuthenticator.java:55) at org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:73) at org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:964) at org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:49) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.checkClient(TokenEndpoint.java:178) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:134) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_3903cccf0670c489ab77dc2ba1ba757573ec6d78.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645) at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630) at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)
- links to
