Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 33.0.1.Final
Affects Version/s: None
Component/s: Security
Labels:
- elytron
- elytron-oidc-client

Workaround:

Workaround Exists
Workaround Description:

Hide

Currently i'm building id token from auth token in code and using reflection set id token string in OIDCSecurityContext

Show
Currently i'm building id token from auth token in code and using reflection set id token string in OIDCSecurityContext
[QE] How to address?:
---
[QE] Why QE missed?:
---

I have a case where OidcSecurityContext is throwing null pointer on readObject method. Root cause of that is that idTokenString is null. It looks like issue in code. In org.wildfly.security.http.oidc.RequestAuthenticator#completeAuthentication method security context is created with idTokenString being null

protected void completeAuthentication(BearerTokenRequestAuthenticator bearer) {
        RefreshableOidcSecurityContext session = new RefreshableOidcSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), ----->null, ----->null, null);
        final OidcPrincipal<RefreshableOidcSecurityContext> principal = new OidcPrincipal<>(bearer.getToken().getPrincipalName(deployment), session);
        completeBearerAuthentication(principal);
        log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName());
    }

Then when org.wildfly.security.http.oidc.OidcSecurityContext#readObject will be executed to fill object null pointer will be thrown as idTokenString is null. Shouldn't be there some check to not decode idTokenString if it is not set. Especially when we know that it might be null because, in some cases, context is build using hardcoded null values.

Configuration is done in following way

/subsystem=elytron/token-realm=token-realm:add(principal-claim="preferred_username", oauth2-introspection={client-id="*****", client-secret="${OIDC_CLIENT_SECRET}", introspection-url="${KEYCLOAK_AUTH_SERVER_URL}/realms/*****/protocol/openid-connect/token/introspect", client-ssl-context=keycloak-client-ssl-context, host-name-verification-policy="ANY"})
/subsystem=elytron/custom-realm=custom-realm:add(module=org.wildfly.security.elytron-http-oidc, class-name=org.wildfly.security.http.oidc.OidcSecurityRealm)
/subsystem=elytron/distributed-realm=OidcRealm:add(realms=[token-realm, custom-realm])

I find out that this is happening on local ActiveMQ. In the message security context is passed as bytes to decode and then decoding is happening. In case of only bearer token OidcSecurityContext.readObject method is throwing null pointer exception. This is very specific scenario but it looks like bug in code.

is blocked by

WFCORE-6952 Upgrade WildFly Elytron to 2.5.1.Final

Resolved

is cloned by

ELY-2789 OIDCSecurityContext deserialization issue

Resolved

is incorporated by

WFLY-19637 Upgrade WildFly Core to 25.0.1.Final

Resolved

Assignee:: Farah Juma

Reporter:: Adrian Skoczylas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/07/18 9:51 AM

Updated:: 2024/08/26 4:12 PM

Resolved:: 2024/08/19 2:51 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates