Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-29393

Fix NPE when checking JWT token

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF32, 11.3, 2021.0
    • Component/s: OAuth
    • Release Notes Summary:
      A blank "assertion" parameter is correctly handled by the JWT token implementation.
    • Backlog priority:
      800
    • Sprint:
      nxplatform #16
    • Story Points:
      2

      Description

      Steps to reproduce:

      1. Configure an OAuth2 client with:
        • Name : java7 client
        • Client Id : nuxeo-java7-client
        • Client Secret : 8832hrrhoiy382
        • Redirect URIs : nuxeo://authorize
        • Auto-grant : Yes
        • Activated : Yes
      2. Run the following command where "assertion" key is missing
        curl --location --request POST 'http://localhost:8080/nuxeo/oauth2/token' \
        --header 'Content-Type: application/x-www-form-urlencoded' \
        -u Administrator:Administrator \
        --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
        --data-urlencode 'client_id=nuxeo-java7-client' \
        --data-urlencode 'client_secret=8832hrrhoiy382'
        
      1. Observe that the response corresponds to the redirection to the Nuxeo HTML error page instead, which displays the NPE in the stacktrace
      2020-07-09T16:47:05,756 ERROR [nuxeo-error-log] javax.servlet.ServletException: java.lang.NullPointerException
      	...
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.NullPointerException
      	at java.util.Objects.requireNonNull(Objects.java:203)
      	at org.nuxeo.ecm.jwt.JWTServiceImpl.verifyToken(JWTServiceImpl.java:231)
      	at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:338)
      	at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
       

      Expected behavior:
      the error is returned with the JSON response, as with an incorrect "assertion" value

      {
        "error_description": "Invalid client: Administrator",
        "error": "invalid_client"
      }
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.