Unable to delete client when one of its related tokens has null AuthenticationHolder related
Closed this issue · 2 comments
All started from getting this error:
2024-01-10 16:02:57.507 ERROR 7 --- [-8080-exec-9338] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.NullPointerException: Cannot invoke "org.mitre.oauth2.model.AuthenticationHolderEntity.getScope()" because the return value of "org.mitre.oauth2.model.OAuth2AccessTokenEntity.getAuthenticationHolder()" is null] with root cause
java.lang.NullPointerException: Cannot invoke "org.mitre.oauth2.model.AuthenticationHolderEntity.getScope()" because the return value of "org.mitre.oauth2.model.OAuth2AccessTokenEntity.getAuthenticationHolder()" is null
at it.infn.mw.iam.api.client.service.DefaultClientService.isValidAccessToken(DefaultClientService.java:142)
at it.infn.mw.iam.api.client.service.DefaultClientService.lambda$deleteTokensByClient$1(DefaultClientService.java:150)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178)
at java.base/java.util.Vector$VectorSpliterator.forEachRemaining(Vector.java:1470)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
at it.infn.mw.iam.api.client.service.DefaultClientService.deleteTokensByClient(DefaultClientService.java:151)
at it.infn.mw.iam.api.client.service.DefaultClientService.deleteClient(DefaultClientService.java:137)
...
The code lines that raise this exception are:
https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java#L148
Probably switching from a.getAuthenticationHolder().getScope()
to a.getScope()
should fix but we need to understand how this status has been reached.
We know that the token that cannot be deleted is a Registration Access Token that has a reference to an AutenticationHolderEntity that doesn't exists:
MySQL [iam]> select * from access_token where client_id = "128037";
+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+------------------+-----------+----------------+-------------+------------------+
| id | token_value | expiration | token_type | refresh_token_id | client_id | auth_holder_id | id_token_id | approved_site_id |
+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+------------------+-----------+----------------+-------------+------------------+
| 9507219 | >>SECRET<<
| NULL | Bearer | NULL | 128037 | 2895438 | NULL | NULL |
MySQL [iam]> select * from authentication_holder where id = "2895438";
Empty set (0.001 sec)
Error observed on IAM v1.8.2p2 but potentially all IAM >= 1.8.0 are involved.
Needs further investigations.
PR #689
The origin of this issue is not clear. No further investigations are necessary because in any case, since v1.8.3 the involved tables of database are now linked by a foreign key constraint. Then, it's no more possible to have an auth_holder_id into access_token which is missing from authentication_holder.