Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-19549

OIDCSecurityContext deserialization issue

XMLWordPrintable

    • Workaround Exists
    • Hide

      Currently i'm building id token from auth token in code and using reflection set id token string in OIDCSecurityContext

      Show
      Currently i'm building id token from auth token in code and using reflection set id token string in OIDCSecurityContext
    • ---
    • ---

      I have a case where OidcSecurityContext is throwing null pointer on readObject method. Root cause of that is that idTokenString is null. It looks like issue in code. In org.wildfly.security.http.oidc.RequestAuthenticator#completeAuthentication method security context is created with idTokenString  being null

      protected void completeAuthentication(BearerTokenRequestAuthenticator bearer) {
              RefreshableOidcSecurityContext session = new RefreshableOidcSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), ----->null, ----->null, null);
              final OidcPrincipal<RefreshableOidcSecurityContext> principal = new OidcPrincipal<>(bearer.getToken().getPrincipalName(deployment), session);
              completeBearerAuthentication(principal);
              log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName());
          }

      Then when org.wildfly.security.http.oidc.OidcSecurityContext#readObject will be executed to fill object null pointer will be thrown as idTokenString  is null. Shouldn't be there some check to not decode idTokenString if it is not set. Especially when we know that it might be null because, in some cases, context is build using hardcoded null values.

      Configuration is done in following way

       

      /subsystem=elytron/token-realm=token-realm:add(principal-claim="preferred_username", oauth2-introspection={client-id="*****", client-secret="${OIDC_CLIENT_SECRET}", introspection-url="${KEYCLOAK_AUTH_SERVER_URL}/realms/*****/protocol/openid-connect/token/introspect", client-ssl-context=keycloak-client-ssl-context, host-name-verification-policy="ANY"})
      /subsystem=elytron/custom-realm=custom-realm:add(module=org.wildfly.security.elytron-http-oidc, class-name=org.wildfly.security.http.oidc.OidcSecurityRealm)
      /subsystem=elytron/distributed-realm=OidcRealm:add(realms=[token-realm, custom-realm])
       
      

      I find out that this is happening on local ActiveMQ. In the message security context is passed as bytes to decode and then decoding is happening. In case of only bearer token  OidcSecurityContext.readObject method is throwing null pointer exception. This is very specific scenario but it looks like bug in code.

              fjuma1@redhat.com Farah Juma
              skoczo Adrian Skoczylas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: