[keycloak-user] AdapterRsaTokenVerifier throws NullPointerException on getPublicKey after processing expired token

Tuesday, 19 December 2017

Hello,

Just upgraded to 3.4.1.Final to check if my issues with
NullPointerException (and resulting 500 status) when using keycloak
spring-security-adapter and expired tokens would be gone. There's no more
an unexpected NullPointer from an empty kid value (fixed in KEYCLOAK-5636
<https://issues.jboss.org/browse/KEYCLOAK-5636>), but a problem still
remains.
This time it's publicKeyLocator being null in
AdapterRSATokenVerifier::getPublicKey. Somehow, after token was already
deemed inactive and TokenNotActiveException was already printed, there's a
second call to this method, this time with an empty deployment, and i'm
pretty sure it's not my code calling it. Since there's no null check on
locator field, it produces NullPointer upon trying to call
pkLocator.getPublicKey, even if kid is being checked for null.

Here's the first exception, the one i'm expecting:

2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id
c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public key
org.keycloak.exceptions.TokenNotActiveException: Token is not active
    at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84)
    at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370)
    at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
    at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:56)
    at
security.idp.deployment.IdpConfigResolver.checkPublicKey(IdpConfigResolver.java:149)
    at
security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFromAuthorizationHeader(IdpConfigResolver.java:80)
    at
security.idp.deployment.IdpConfigResolver.resolve(IdpConfigResolver.java:57)
    at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
    at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:138)
    at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
    at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
    at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111)
    at
org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:168)
    at
org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:303)
    at
org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1286)
    at
org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1041)
    at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:984)
    at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
    at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
    at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
    at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:81)
    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:479)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:412)
    at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:319)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
    at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:332)
    at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

However, it is immediately followed by this:

2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id i.u.request -
UT005022: Exception generating error page /error
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is java.lang.RuntimeException:
java.lang.NullPointerException
    at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:982)
    at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
    at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:81)
    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:479)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:412)
    at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:319)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
    at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:332)
    at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:245)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:147)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111)
    at
org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:168)
    at
org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:303)
    at
org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1286)
    at
org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1041)
    at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:984)
    at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
    at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
    ... 29 common frames omitted
Caused by: java.lang.NullPointerException: null
    at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44)
    at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)
    at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
    at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
    at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
    at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
    at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:147)
    at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
    at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
    at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64)
    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:274)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:209)
    at
io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:221)
    ... 38 common frames omitted

Needless to say, i'm not expecting any error pages to be shown and i have
no idea where would keycloak get such a deployment that does not even have
keyLocator.
One place where i call AdapterRSATokenVerifier.verifyToken has a deployment
with explicitly set HardcodedPublicKeyLocator, which workes in every other
instance of token validation i've encountered so far.

I'd report this as a bug right away and make a request with a null check on
pkLocator, but somehow it seems the issue is not that simple, empty
deployment shouldn't be there in the first place. In the mean tiime, any
idea how can i get around this second verify() call or maybe disable the
/error page behaviour?

Best regards,
Dmitry

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[keycloak-user] AdapterRsaTokenVerifier throws NullPointerException on getPublicKey after processing expired token