createIdToken fails with a NullPointerException in org. xdi. oxauth. model. jwk. JSONWebKeySet. fromJSONObject

By: Dominique Petitpierre user 22 May 2017 at 5:54 p.m. CDT

3 Responses
Dominique Petitpierre gravatar
Hello, using oxauth-rp a client was created with "Dynamic Client Registration" (adapting from the video "Howto Register An OpenID Connect Client" on https://www.youtube.com/watch?v=BcmSdNQ45Sg). Then at the "Authorization Endpoint" step, when requesting ID_TOKEN in the Response Type, one can authenticate but, after, one obtains a blank page. The oxauth.log has an error message indicating a NullPointerException while in org.xdi.oxauth.model.jwk.JSONWebKeySet.fromJSONObject called while in AuthorizationGrant.createIdToken. If ID_TOKEN is not requested then there is no problem. Here is the "Registration Response" content: ``` { "client_id": "@!4B57.EBDB.CFE7.33C6!0001!7959.6F19!0008!0B5B.8164.5F04.0CEC", "client_secret": "017e0af8-d2d3-49a5-a141-71c7e26fa651", "registration_access_token": "81c6e6ac-03f5-4143-ac71-664e8e0e764b", "registration_client_uri": "https://op.example.foo/oxauth/seam/resource/restv1/oxauth/register?client_id=@!4B57.EBDB.CFE7.33C6!0001!7959.6F19!0008!0B5B.8164.5F04.0CEC", "client_id_issued_at": 1495490247, "client_secret_expires_at": 1495576647, "redirect_uris": ["https://op.example.foo/oxauth-rp/home.htm"], "response_types": [ "code", "id_token", "token" ], "application_type": "web", "client_name": "dynclient5", "subject_type": "pairwise", "id_token_signed_response_alg": "HS256", "id_token_encrypted_response_alg": "RSA1_5", "id_token_encrypted_response_enc": "A128CBC+HS256", "userinfo_signed_response_alg": "HS256", "userinfo_encrypted_response_alg": "RSA1_5", "userinfo_encrypted_response_enc": "A128CBC+HS256", "request_object_signing_alg": "HS256", "request_object_encryption_alg": "RSA1_5", "request_object_encryption_enc": "A128CBC+HS256", "token_endpoint_auth_method": "client_secret_basic", "token_endpoint_auth_signing_alg": "HS256", "require_auth_time": false, "frontchannel_logout_uri": [""], "frontchannel_logout_session_required": false, "scopes": [ "openid", "permission" ] } ``` Here is the request shown in /var/log/apache2/other_vhosts_access.log : ``` op.example.foo:443 192.168.1.9 - - [23/May/2017:00:05:00 +0200] "GET /oxauth/seam/resource/restv1/oxauth/authorize?scope=openid+email&display=page&response_type=code+token+id_token&redirect_uri=https%3A%2F%2Fop.example.foo%2Foxauth-rp%2Fhome.htm&state=state5&nonce=nonce5&client_id=%40%214B57.EBDB.CFE7.33C6%210001%217959.6F19%210008%210B5B.8164.5F04.0CEC&cid=57 HTTP/1.1" 500 373 "https://op.example.foo/oxauth/authorize?scope=openid+email&display=page&response_type=code+token+id_token&redirect_uri=https%3A%2F%2Fop.example.foo%2Foxauth-rp%2Fhome.htm&state=state5&nonce=nonce5&client_id=%40%214B57.EBDB.CFE7.33C6%210001%217959.6F19%210008%210B5B.8164.5F04.0CEC" "Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" ``` And here is the corresponding extract from /opt/gluu/jetty/oxauth/logs/oxauth.log: ``` 2017-05-23 00:05:00,942 DEBUG [qtp1395089624-10] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!4B57.EBDB.CFE7.33C6!0001!7959.6F19!0008!0B5B.8164.5F04.0CEC 2017-05-23 00:05:00,942 DEBUG [qtp1395089624-10] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:80) - Validating redirection URI: clientIdentifier = @!4B57.EBDB.CFE7.33C6!0001!7959.6F19!0008!0B5B.8164.5F04.0CEC, redirectionUri = https://op.example.foo/oxauth-rp/home.htm, found = 1 2017-05-23 00:05:00,943 DEBUG [qtp1395089624-10] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:86) - Comparing https://op.example.foo/oxauth-rp/home.htm == https://op.example.foo/oxauth-rp/home.htm 2017-05-23 00:05:00,977 DEBUG [qtp1395089624-10] [org.xdi.oxauth.model.util.JwtUtil] (JwtUtil.java:204) - Retrieving jwks... 2017-05-23 00:05:00,978 ERROR [qtp1395089624-10] [org.xdi.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:175) - null java.lang.NullPointerException: null at org.xdi.oxauth.model.jwk.JSONWebKeySet.fromJSONObject(JSONWebKeySet.java:104) ~[oxauth-model-3.0.1.jar:?] at org.xdi.oxauth.model.token.IdTokenFactory.generateEncryptedIdToken(IdTokenFactory.java:434) ~[classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_112] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_112] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:79) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:196) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:114) ~[jboss-seam-2.3.1.Final.jar:2.3.1.Final] at org.xdi.oxauth.model.token.IdTokenFactory_$$_javassist_seam_56.generateEncryptedIdToken(IdTokenFactory_$$_javassist_seam_56.java) ~[classes/:?] at org.xdi.oxauth.model.token.IdTokenFactory.createJwr(IdTokenFactory.java:479) ~[classes/:?] at org.xdi.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:59) ~[classes/:?] at org.xdi.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:158) [classes/:?] ... ``` Many variants of the client definition have been tried but without success in obtaining an id_token. Any idea what is wrong and how to correct it? Which configuration parameters (of the dynamic client but also of the oxauth server) are involved when generating an id_token? What kind of test could be done to identify the possible causes? Thanks in advance for your answers or hints!
OS Version : N/A
closed

Answers

By Michael Schwartz Account Admin 22 May 2017 at 9:53 p.m. CDT

Copy
Michael Schwartz gravatar
That video is quite old. I just tried it on my server and it works ok. A few hints: 1. use response type `code` 2. use grant type `authorization_code` 3. only request the `openid` scope (which is default with dynamic client reg) 4. Remember that the code can only be used once Below are is how I tested it: ``` Reg REQUEST: ------------ POST /oxauth/seam/resource/restv1/oxauth/register HTTP/1.1 Content-Type: application/json Accept: application/json Host: goblin.gluu.info { "redirect_uris": ["https://goblin.gluu.info/oxauth-rp/home.htm"], "response_types": ["code"], "grant_types": ["authorization_code"], "application_type": "web", "client_name": "oxauth-rp", "subject_type": "public", "frontchannel_logout_uri": [""], "frontchannel_logout_session_required": "false" } REG RESPONSE: ------------- HTTP/1.1 200 Date: Tue, 23 May 2017 02:40:16 GMT Server: Jetty(9.3.15.v20161220) Content-Length: 955 Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains Pragma: no-cache Access-Control-Allow-Origin: * Set-Cookie: JSESSIONID=12ytgfh7enf6nalw6bqp27at3;Path=/oxauth;Secure;HttpOnly Keep-Alive: timeout=5, max=100 X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/json Connection: Keep-Alive Cache-Control: no-store { "client_id": "@!2E9F.AC40.7B61.9A41!0001!C18E.09A6!0008!1DEC.DA99.3A0D.C7D4", "client_secret": "98c28d9f-efa7-429c-ae42-398760e2a55d", "registration_access_token": "d266ca49-ac5c-4b4b-b598-c799a88034c1", "registration_client_uri": "https://goblin.gluu.info/oxauth/seam/resource/restv1/oxauth/register?client_id=@!2E9F.AC40.7B61.9A41!0001!C18E.09A6!0008!1DEC.DA99.3A0D.C7D4", "client_id_issued_at": 1495507216, "client_secret_expires_at": 1495593616, "redirect_uris": ["https://goblin.gluu.info/oxauth-rp/home.htm"], "response_types": ["code"], "application_type": "web", "client_name": "oxauth-rp", "subject_type": "public", "id_token_signed_response_alg": "RS256", "token_endpoint_auth_method": "client_secret_basic", "require_auth_time": false, "frontchannel_logout_uri": [""], "frontchannel_logout_session_required": false, "scopes": [ "openid", "permission" ] } AUTHZ Form Values: --------------- Response Type: code ClientID: @!2E9F.AC40.7B61.9A41!0001!C18E.09A6!0008!1DEC.DA99.3A0D.C7D4 Scopes: openid Redirect URL: https://goblin.gluu.info/oxauth-rp/home.htm State: e25add2a Nonce: 01715155717 Display: Page TOKEN REQUEST: -------------- POST /oxauth/seam/resource/restv1/oxauth/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: goblin.gluu.info Authorization: Basic QCEyRTlGLkFDNDAuN0I2MS45QTQxITAwMDEhQzE4RS4wOUE2ITAwMDghMURFQy5EQTk5LjNBMEQuQzdENDo5OGMyOGQ5Zi1lZmE3LTQyOWMtYWU0Mi0zOTg3NjBlMmE1NWQ= grant_type=authorization_code&code=b30cd190-7dd5-4e71-8b04-92e6fe922604&redirect_uri=https%3A%2F%2Fgoblin.gluu.info%2Foxauth-rp%2Fhome.htm&scope=openid TOKEN RESPONSE: --------------- HTTP/1.1 200 Date: Tue, 23 May 2017 02:46:38 GMT Server: Jetty(9.3.15.v20161220) Content-Length: 1147 Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains Pragma: no-cache Access-Control-Allow-Origin: * Set-Cookie: JSESSIONID=3htmgdq7eqib1pnt7055bqpll;Path=/oxauth;Secure;HttpOnly Keep-Alive: timeout=5, max=100 X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/json Connection: Keep-Alive Cache-Control: no-store {"access_token":"4fec76a4-f6b5-4aa6-96b4-ab51ebc61e40","token_type":"bearer","expires_in":299,"refresh_token":"d694c1a4-d95c-4b7c-a1e3-96c5feab129a","scope":"openid","id_token":"eyJraWQiOiIyNTNlNDYwNC1hODRjLTQyMGUtOTE0NC05YjlkM2RlYWY5MjQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dvYmxpbi5nbHV1LmluZm8iLCJhdWQiOiJAITJFOUYuQUM0MC43QjYxLjlBNDEhMDAwMSFDMThFLjA5QTYhMDAwOCExREVDLkRBOTkuM0EwRC5DN0Q0IiwiZXhwIjoxNDk1NTExMTk4LCJpYXQiOjE0OTU1MDc1OTgsIm5vbmNlIjoiNjAxNzE1MTU1NzE3IiwiYXV0aF90aW1lIjoxNDk1NTA3NDY2LCJhdF9oYXNoIjoiaHhJYzR4aHI4SUxiTXc2OENFNFBHQSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vZ29ibGluLmdsdXUuaW5mby9veGF1dGgvb3BpZnJhbWUiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJzdWIiOiJAITJFOUYuQUM0MC43QjYxLjlBNDEhMDAwMSFDMThFLjA5QTYhMDAwMCE4MUQwLkJEOEMuRjNEMy4wRjk5In0.NcPh4qxWKd-xFe5HKa8UiJu31WF-UXX0obl4AAPWaC5VfU-AGtl43NnvsTQoUXgfnae7y9OWcsylVEv0SRlXjbyhlFausSmsPIwmlPENJAFZLAZs8tv7G-P9rk2t3eB31YTX4hPiEk_T2nYT77MIh_9jBt-7mTftZIoG42Lr5F4U4nXTWHoVy2JrdlHebGEpfEFRl1nno7ytiQYhRNUR83hiSWpoh9SgBdoKMyUM-hr9YKnyZ7bdAYypSSGlJaza69mkCUO0O5Eo30YLr4wnFGvs5h0dNom4iaxtKVltqe4oKyG8XCVM8vBT56_OEzt0OHWijwkoqbRRt7XDTIVpBA"} ```

By Michael Schwartz Account Admin 22 May 2017 at 9:54 p.m. CDT

Copy
Michael Schwartz gravatar
BTW, check out [oxd](https://oxd.gluu.org) if you want to build a web application. It provides a slightly easier way to write an openid connect web client.

By Dominique Petitpierre user 23 May 2017 at 3:27 p.m. CDT

Copy
Dominique Petitpierre gravatar
Thanks for the demo test detailed description: it works the same on our instance. Good! I got into trouble by over-configuring the client, a situation resulting from earlier errors and problems. Unlike in the video you did not specify the various encryption, encoding and signing algorithms when registering the client: - What are the defaults that are used when not specified? - Also, in that interface, would it make sense to allow the specification of additional scopes when registering the client? (It is possible to update the client and change its scopes in the Gluu server administration tool). Thanks for a very useful testing tool!

Post an answer