-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 10.10
-
Fix Version/s: 10.10-HF32, 11.3, 2021.0
-
Component/s: OAuth
-
Release Notes Summary:A blank "assertion" parameter is correctly handled by the JWT token implementation.
-
Tags:
-
Backlog priority:800
-
Sprint:nxplatform #16
-
Story Points:2
Steps to reproduce:
- Configure an OAuth2 client with:
- Name : java7 client
- Client Id : nuxeo-java7-client
- Client Secret : 8832hrrhoiy382
- Redirect URIs : nuxeo://authorize
- Auto-grant : Yes
- Activated : Yes
- Run the following command where "assertion" key is missing
curl --location --request POST 'http://localhost:8080/nuxeo/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ -u Administrator:Administrator \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \ --data-urlencode 'client_id=nuxeo-java7-client' \ --data-urlencode 'client_secret=8832hrrhoiy382'
- Observe that the response corresponds to the redirection to the Nuxeo HTML error page instead, which displays the NPE in the stacktrace
2020-07-09T16:47:05,756 ERROR [nuxeo-error-log] javax.servlet.ServletException: java.lang.NullPointerException ... at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at java.util.Objects.requireNonNull(Objects.java:203) at org.nuxeo.ecm.jwt.JWTServiceImpl.verifyToken(JWTServiceImpl.java:231) at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:338) at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
Expected behavior:
the error is returned with the JSON response, as with an incorrect "assertion" value
{
"error_description": "Invalid client: Administrator",
"error": "invalid_client"
}
