fix(jans-auth-server): challenge endpoint returns 400 if authorize throws an unexpected Exception #10553
Description
Jans version: Nightly version (Jan 5th)
If I add the following lines to the default_challenge authorization script (line 45):
String s = null;
s.charAt(0);
and invoke it:
curl -i -k -d use_auth_session=true -d flow_name=test3 -d scope=openid -d client_id=1800.31d70990-c119-411e-b793-0c60deaa2a8d https://blahh.../jans-auth/restv1/authorize-challenge
the response is:
HTTP/1.1 400 Bad Request
Date: Mon, 06 Jan 2025 15:50:11 GMT
Server: Apache/2.4.52 (Ubuntu)
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-transform, no-store
Content-Type: application/json
Content-Length: 238
Set-Cookie: X-Correlation-Id=8be13abf-a9e1-46e2-9828-485ff4578733; Secure; HttpOnly;HttpOnly
Connection: close
{
"reason": "No allowed by authorization challenge script.",
"error_description": "The resource owner or authorization server denied the request. CorrelationId: 8be13abf-a9e1-46e2-9828-485ff4578733",
"error": "access_denied"
}
Logs show:
2025-01-06 15:50:11,455 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [io.jans.as.server.service.ClientService] (ClientService.java:152) - Found 1 entries for client id = 1800.31d70990-c119-411e-b793-0c60deaa2a8d
2025-01-06 15:50:11,458 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [as.server.authorize.ws.rs.AuthorizationChallengeService] (AuthorizationChallengeService.java:95) - Attempting to request authz challenge: AuthzRequest{scope='openid', responseType='null', clientId='1800.31d70990-c119-411e-b793-0c60deaa2a8d', redirectUri='null', state='null', responseMode='null', nonce='null', display='null', prompt='null', maxAge=null, uiLocales='null', idTokenHint='null', loginHint='null', acrValues='null', authorizationChallengeSession='null', amrValues='null', request='null', requestUri='null', authzDetailsString='null', authzDetails='null', sessionId='null', originHeaders='null', codeChallenge='null', codeChallengeMethod='null', customResponseHeaders='null', customParameters='{}', claims='null', authReqId='null', httpRequest=Request(POST https://jgomer2001-arriving-jay.gluu.info/jans-auth/restv1/authorize-challenge)@7b3d0197, httpResponse=HTTP/1.1 200
Set-Cookie: X-Correlation-Id=8be13abf-a9e1-46e2-9828-485ff4578733; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
, securityContext=null}
2025-01-06 15:50:11,459 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [io.jans.as.server.service.ClientService] (ClientService.java:152) - Found 1 entries for client id = 1800.31d70990-c119-411e-b793-0c60deaa2a8d
2025-01-06 15:50:11,828 DEBUG [Jans AuthScheduler_Worker-2] [io.jans.service.timer.RequestJobListener] (RequestJobListener.java:59) - Bound request started
2025-01-06 15:50:11,828 DEBUG [Jans AuthScheduler_Worker-2] [io.jans.service.timer.TimerJob] (TimerJob.java:42) - Fire timer event [io.jans.as.server.service.cdi.event.ClientPeriodicUpdateEvent] with qualifiers [@io.jans.service.cdi.event.Scheduled()] from instance 1511824490
2025-01-06 15:50:11,828 DEBUG [Jans AuthScheduler_Worker-2] [io.jans.service.timer.RequestJobListener] (RequestJobListener.java:69) - Bound request ended
2025-01-06 15:50:11,900 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [jans.as.server.model.authorize.ScopeChecker] (ScopeChecker.java:58) - Checking scopes policy for: [openid]
2025-01-06 15:50:11,901 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [jans.as.server.model.authorize.ScopeChecker] (ScopeChecker.java:91) - Granted scopes: [openid]
==> jans-auth_script.log <==
2025-01-06 15:50:11,902 ERROR [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [jans.as.server.service.external.ExternalAuthorizationChallengeService] (ExternalAuthorizationChallengeService.java:105) - Cannot invoke "String.charAt(int)" because "s" is null
java.lang.NullPointerException: Cannot invoke "String.charAt(int)" because "s" is null
at AuthorizationChallenge.authorize(Generated:46) ~[?:?]
at io.jans.as.server.service.external.ExternalAuthorizationChallengeService.externalAuthorize(ExternalAuthorizationChallengeService.java:96) ~[classes/:?]
at io.jans.as.server.service.external.ExternalAuthorizationChallengeService$Proxy$_$$_WeldClientProxy.externalAuthorize(Unknown Source) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizationChallengeService.authorize(AuthorizationChallengeService.java:163) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizationChallengeService.requestAuthorization(AuthorizationChallengeService.java:100) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizationChallengeService$Proxy$_$$_WeldClientProxy.requestAuthorization(Unknown Source) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizationChallengeEndpoint.requestAuthorizationPost(AuthorizationChallengeEndpoint.java:79) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizationChallengeEndpoint$Proxy$_$$_WeldClientProxy.requestAuthorizationPost(Unknown Source) ~[classes/:?]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.base/java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:408) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:69) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:60) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587) ~[jetty-jakarta-servlet-api-5.0.2.jar:?]
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) ~[?:?]
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665) ~[?:?]
at io.jans.as.server.filter.HeadersFilter.doFilter(HeadersFilter.java:36) ~[classes/:?]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
at io.jans.server.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:357) ~[jans-core-server-0.0.0-nightly.jar:?]
at io.jans.server.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:123) ~[jans-core-server-0.0.0-nightly.jar:?]
at io.jans.as.server.filter.CorsFilter.doFilter(CorsFilter.java:116) ~[classes/:?]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
at io.jans.as.server.filter.CorrelationIdFilter.doFilter(CorrelationIdFilter.java:45) ~[classes/:?]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
at io.jans.as.server.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:69) ~[classes/:?]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:170) ~[websocket-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) ~[jetty-security-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1381) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) ~[jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.Server.handle(Server.java:563) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) ~[jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) [jetty-io-11.0.15.jar:11.0.15]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) [jetty-io-11.0.15.jar:11.0.15]
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) [jetty-io-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) [jetty-util-11.0.15.jar:11.0.15]
at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
==> jans-auth.log <==
2025-01-06 15:50:11,923 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [as.server.authorize.ws.rs.AuthorizationChallengeService] (AuthorizationChallengeService.java:165) - Not allowed by authorization challenge script, client_id 1800.31d70990-c119-411e-b793-0c60deaa2a8d.
2025-01-06 15:50:11,924 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [io.jans.as.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:83) - Looking for the error with id: access_denied
2025-01-06 15:50:11,924 DEBUG [qtp366004251-22] 8be13abf-a9e1-46e2-9828-485ff4578733 [io.jans.as.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:88) - Found error, id: access_denied