[keycloak-user] Occasional NPE while retrieving token
Orestis Tsakiridis
orestis.tsakiridis at telestax.com
Mon Sep 14 06:08:05 EDT 2015
Sounds great.
Thanks Marek.
On Mon, Sep 14, 2015 at 9:28 AM, Marek Posolda <mposolda at redhat.com> wrote:
> Thanks, I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-1842 .
> We will try to reproduce and fix for 1.6 release.
>
> Marek
>
>
> On 10/09/15 11:51, Orestis Tsakiridis wrote:
>
> Hello Marek,
>
> It looks like we've cornered the issue after all :-)
>
> I managed to reproduce it on a relatively clean keycloak setup with the
> following steps:
>
>
> 1. Create application app-dg that will be used to get tokens
> using direct access grants.
> Accesstype: Public
> Direct Grants Onlye: true
>
> 2. Create application app-test.
> AccessType: Bearer only
>
> 3. Create application level role 'role-test' in app-test.
>
> 4. Create user user-test. Assign it application level role
> app-test:role-test and set his password to 'password'
>
> 5. Retrieve a token for user-test using direct access grants:
>
> $ curl -k -X POST
> http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token
> -d "grant_type=password" -d "client_id=app-dg" -d "username=user-test" -d
> "password=password"
>
> And the token:
> {
> "jti": "f68e595e-d612-42a1-b4f2-0af2b32b7dd7",
> "exp": 1441881384,
> "nbf": 0,
> "iat": 1441877784,
> "iss": "http://127.0.0.1:8080/auth/realms/restcomm",
> "aud": "app-dg",
> "sub": "067021e3-0fac-49dd-931b-1d26eb8ceb70",
> "azp": "app-dg",
> "session_state": "03903e0d-4748-4aba-bf5e-c0529757c13d",
> "client_session": "7f8417c0-9fd0-4e65-a3d8-a9335cb1f704",
> "allowed-origins": [],
> "resource_access": {
> "app-test": {
> "roles": [
> "role-test"
> ]
> },
> "account": {
> "roles": [
> "view-profile",
> "manage-account"
> ]
> }
> },
> "name": "",
> "preferred_username": "user-test"
> }
>
> 6. Remove app-test
>
> 7. Try to retrieve a token once more and the error appears:
>
> 12:39:37,260 ERROR [io.undertow.request] (default task-17)
> UT005023: Exception handling request to
> /auth/realms/restcomm/protocol/openid-connect/token:
> java.lang.RuntimeException: request path:
> /auth/realms/restcomm/protocol/openid-connect/token
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.NullPointerException
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
> ... 29 more
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353)
> at
> org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193)
> at
> org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412)
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358)
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> ... 37 more
>
> I rule i tried to make up is the following:
>
> "If for user Alice exists an active token with application roles for an
> application and this application is removed, you can't get a token for this
> user anymore"
>
> Also note that in my tests i've increased realm 'Access token lifespan' to
> 60 min. Maybe having a short lifespan discards the token before making any
> damage and the exception is not thrown. Just guessing here...
>
>
> I hope this helps
>
>
> Regards
>
> Orestis
>
> On Fri, Sep 4, 2015 at 11:54 AM, Orestis Tsakiridis <
> <orestis.tsakiridis at telestax.com>orestis.tsakiridis at telestax.com> wrote:
>
>> Hi Marek,
>>
>> Hmmm, indeed, that happens after having deleted clients. But, i haven't
>> defined any composite roles. The rest of the REST api operation i've used
>> don't seem to trigger it.
>>
>> But wait! i think you rung a bell. The clients i remove have their own
>> application-level roles created and bound to them. They are not composite
>> though in the strict sense of the term. Possibly the user that tries to get
>> a token is also assigned these roles. Btw, is it proper practice to remove
>> a client without removing its own application roles first?
>>
>> Also, I'm using the default H2 DB setup.
>>
>> I will try to reproduce and post my findings to this thread.
>>
>>
>> Thanks Marek
>>
>> Orestis
>>
>> On Wed, Sep 2, 2015 at 4:45 PM, Marek Posolda < <mposolda at redhat.com>
>> mposolda at redhat.com> wrote:
>>
>>> It looks you deleted some client, but his composite roles were not
>>> properly deleted. It might be a bug though, but not sure. It will be cool
>>> if you can provide more detailed steps to reproduce. Are you using default
>>> H2 DB or some else?
>>>
>>> Thanks,
>>> Marek
>>>
>>>
>>> On 02/09/15 11:25, Orestis Tsakiridis wrote:
>>>
>>> Hello,
>>>
>>> I'm experiencing a strange error while trying to retrieve a token.
>>> Although initially the application may function properly and tokens issued
>>> normally, something happens when i use the Admin REST api that triggers the
>>> error. After that no tokens can be issued and an NPE appears in the log.
>>> Usually this happens after trying to drop some clients.
>>>
>>> Btw, i'm using keycloak-1.4.0.Final.
>>>
>>> Here is the command i use to get the token:
>>>
>>> curl -k -X POST
>>> <https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token>
>>> https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token
>>> -d "grant_type=password" -d "client_id=restcomm-identity-rest" -d
>>> "username=otsakir" -d "password=...."
>>>
>>> And here is what i get in the logs:
>>>
>>> 09:12:36,414 ERROR [io.undertow.request] (default task-4) UT005023:
>>> Exception handling request to
>>> /auth/realms/restcomm/protocol/openid-connect/token:
>>> java.lang.RuntimeException: request path:
>>> /auth/realms/restcomm/protocol/openid-connect/token
>>> at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)
>>> at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>>> at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>>> at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>>> at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> at
>>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>>> at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>>> at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: org.jboss.resteasy.spi.UnhandledException:
>>> java.lang.NullPointerException
>>> at
>>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>> at
>>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>>> at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
>>> ... 29 more
>>> Caused by: java.lang.NullPointerException
>>> at
>>> org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353)
>>> at
>>> org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193)
>>> at
>>> org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412)
>>> at
>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358)
>>> at
>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113)
>>> at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>> at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>>> ... 37 more
>>>
>>>
>>> Regards
>>>
>>> Orestis
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150914/b3f2522c/attachment-0001.html
More information about the keycloak-user
mailing list