[keycloak-user] Not existent attributes for users from user-federeation cause NPE
Lorenzo Luconi Trombacchi
lorenzo.luconi at iit.cnr.it
Fri Feb 1 10:54:54 EST 2019
I’m using Keycloak version 4.8.3 with a custom user federation plugin. I created a new realm, configured my user federation plugin and created a new client. I tried to authenticate and I got an error 500 from keycloak.
In Keycloak log I found this NullPointerException:
14:09:15,472 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NullPointerException
at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:414)
at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:415)
at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:93)
at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:101)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:117)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:119)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:606)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:422)
at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:795)
at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:544)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:569)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:186)
at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:402)
…..
After some tests I found the problem: the “Assigned Default Client Scopes” list, in my newly created client, includes the “profile” scope.
The “profile” scope includes a lot of attributes and not all of them are exported from my federation plugin for my users. Removing profile scope solve the problem and now I can successfully authenticate my federeted users.
In class KeycloakModelUtils the are two implementation of the method resolveAttribute:
public static List<String> resolveAttribute(GroupModel group, String name) {
List<String> values = group.getAttribute(name);
if (values != null && !values.isEmpty()) return values;
if (group.getParentId() == null) return null;
return resolveAttribute(group.getParent(), name);
}
public static Collection<String> resolveAttribute(UserModel user, String name, boolean aggregateAttrs) {
List<String> values = user.getAttribute(name);
Set<String> aggrValues = new HashSet<String>();
if (!values.isEmpty()) {
if (!aggregateAttrs) {
return values;
}
aggrValues.addAll(values);
}
for (GroupModel group : user.getGroups()) {
values = resolveAttribute(group, name);
if (values != null && !values.isEmpty()) {
if (!aggregateAttrs) {
return values;
}
aggrValues.addAll(values);
}
}
return aggrValues;
}
As you can see the first implementation checks if values is null, but not the second one where I got NPE.
In my UserModel implementation I override the getAttrubute method:
public class UserAdapter extends AbstractUserAdapterFederatedStorage {
…..
@Override
public List<String> getAttribute(String name) {
if (attributes.containsKey(name)) {
return attributes.get(name);
}
return super.getAttribute(name);
}
}
If I force this method to return an empty list instead of null value, this solve the problem. Is this the right fix? getAttribute method must not returns a null value?
I hope this helps.
Thanks,
Lorenzo
More information about the keycloak-user
mailing list