-
Bug
-
Resolution: Done
-
Major
-
None
-
Workaround Exists
-
-
---
-
---
I have a case where OidcSecurityContext is throwing null pointer on readObject method. Root cause of that is that idTokenString is null. It looks like issue in code. In org.wildfly.security.http.oidc.RequestAuthenticator#completeAuthentication method security context is created with idTokenString being null
protected void completeAuthentication(BearerTokenRequestAuthenticator bearer) { RefreshableOidcSecurityContext session = new RefreshableOidcSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), ----->null, ----->null, null); final OidcPrincipal<RefreshableOidcSecurityContext> principal = new OidcPrincipal<>(bearer.getToken().getPrincipalName(deployment), session); completeBearerAuthentication(principal); log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); }
Then when org.wildfly.security.http.oidc.OidcSecurityContext#readObject will be executed to fill object null pointer will be thrown as idTokenString is null. Shouldn't be there some check to not decode idTokenString if it is not set. Especially when we know that it might be null because, in some cases, context is build using hardcoded null values.
Configuration is done in following way
/subsystem=elytron/token-realm=token-realm:add(principal-claim="preferred_username", oauth2-introspection={client-id="*****", client-secret="${OIDC_CLIENT_SECRET}", introspection-url="${KEYCLOAK_AUTH_SERVER_URL}/realms/*****/protocol/openid-connect/token/introspect", client-ssl-context=keycloak-client-ssl-context, host-name-verification-policy="ANY"}) /subsystem=elytron/custom-realm=custom-realm:add(module=org.wildfly.security.elytron-http-oidc, class-name=org.wildfly.security.http.oidc.OidcSecurityRealm) /subsystem=elytron/distributed-realm=OidcRealm:add(realms=[token-realm, custom-realm])
I find out that this is happening on local ActiveMQ. In the message security context is passed as bytes to decode and then decoding is happening. In case of only bearer token OidcSecurityContext.readObject method is throwing null pointer exception. This is very specific scenario but it looks like bug in code.
- is blocked by
-
WFCORE-6952 Upgrade WildFly Elytron to 2.5.1.Final
- Resolved
- is cloned by
-
ELY-2789 OIDCSecurityContext deserialization issue
- Resolved
- is incorporated by
-
WFLY-19637 Upgrade WildFly Core to 25.0.1.Final
- Resolved