Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] NullpointExceptions on getAuthenticatorConfig during required actions #465

Open
1 task done
derlin opened this issue Nov 12, 2024 · 0 comments · May be fixed by #478
Open
1 task done

[BUG] NullpointExceptions on getAuthenticatorConfig during required actions #465

derlin opened this issue Nov 12, 2024 · 0 comments · May be fixed by #478
Labels
bug Something isn't working

Comments

@derlin
Copy link

derlin commented Nov 12, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

First, thank you for this great SPI!

I am facing NullPointerException in multiple contexts that are unfortunately inconsistent and hard to reproduce. It usually happens during a kc_action such as UPDATE_EMAIL, CONFIGURE_TOTP, etc. When the user is redirected to keycloak (using the kc_action=CONFIGURE_XXX parameter), he sometimes encounter a 500.

Stacktrace:

2024-11-11 15:19:30,595 WARN  [org.keycloak.services] (executor-thread-16982) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.AuthenticatorConfigModel.getConfig()" because the return value of "org.keycloak.authentication.AuthenticationFlowContext.getAuthenticatorConfig()" is null
	at de.sventorben.keycloak.authentication.hidpd.AuthenticationChallenge.forceChallenge(AuthenticationChallenge.java:35)
	at de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoveryAuthenticator.authenticate(HomeIdpDiscoveryAuthenticator.java:47)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:442)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:268)
	at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1071)
	at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:909)
	at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

When this happens, the user needs to logout/login again, and sometimes even this doesn't work and the only workaround is to restart keycloak.

I have been facing this issue for quite a while, more and more locally since the upgrade to keycloak 25, and it is now showing in production too.

Expected Behavior

Ideally, a 500 should never happen and the SPI should deal properly with null authentication contexts. Since actions are not part of a flow, I believe this is not related to a misconfiguration on our part.

Steps To Reproduce

I am still working on trying to identify what causes this, but so far to no avail.

More context: we have 2 "private IDPs" using the home-idp-discovery mapped to 2 domains each, and 2 public idps that use the regular buttons in the login. The error may happen on all users (authenticated with any method) as far as I can tell.

Version

- Keycloak: 25.0.6
- This extension: 25.0.0 (currently testing on 25.0.1)

Anything else?

I am in the process of updating and testing with keycloak 26, but since this issue is present for a while and is intermittent, I prefer to open the issue now.
@derlin derlin added the bug Something isn't working label Nov 12, 2024
sventorben added a commit that referenced this issue Dec 4, 2024
@sventorben
fix: Prevent NPE when AuthenticatorConfig is null
6b27aad 
Closes #465
@sventorben sventorben linked a pull request Dec 4, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent NPE when AuthenticatorConfig is null sventorben/keycloak-home-idp-discovery
1 participant
@derlin