[keycloak-user] Operations through keycloak-spring-security-adapter produce status 500 when token is expired

[Dmitry Korchemkin]

Hello,

We're facing a problem with operations performed through a gateway (using
keycloak spring-security-adapter 3.4.0.Final). They result in
"org.keycloak.exceptions.TokenNotActiveException: Token is not active" if
attempted with expired token. Unlike "token is almost expired" error, which
correctly returns 401, this one throws NullPointerException and as a result
produces 500 status code, not 401:
 Caused by: java.lang.NullPointerException: null
    at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44)

This is observed even when accessing keycloak's own endponts (/users).
I've seen an issue on JIRA https://issues.jboss.org/browse/KEYCLOAK-5195
which looks like it describes exactly out problem, but it's supposed to be
fixed in 3.4.0.Final.

Here's relevant part of our http security config (requestMatcher filters
some requests bound for IdP itself) from the gateway:

    @Override
    @Bean
    @Primary
    protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
        return new
KeycloakAuthenticationProcessingFilter(authenticationManagerBean(),
                new NeedValidateJwtTokenRequestMatcher(gatewayRoute));
    }

    @Bean
    public HttpSecurityConfigurer getHttpSecurityConfigurer() {
        return httpSecurity -> {
            httpSecurity.authorizeRequests()
                    .anyRequest().permitAll();
            httpSecurity.addFilterBefore(traceMethodFilter,
CorsFilter.class);
            httpSecurity.addFilterBefore(corsFilter,
KeycloakAuthenticationProcessingFilter.class);
        };
    }

Is it something with how we use the adapter in the gateway or the fix from
KEYCLOAK-5195 is missing from 3.4.0.Final (or maybe it is not even relevant
in this case)?

Best regards,
Dmitry