Unable to delete client when one of its related tokens has null AuthenticationHolder related

Question

Unable to delete client when one of its related tokens has null AuthenticationHolder related

Closed this issue 8 months ago · 2 comments

All started from getting this error:

2024-01-10 16:02:57.507 ERROR 7 --- [-8080-exec-9338] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.NullPointerException: Cannot invoke "org.mitre.oauth2.model.AuthenticationHolderEntity.getScope()" because the return value of "org.mitre.oauth2.model.OAuth2AccessTokenEntity.getAuthenticationHolder()" is null] with root cause

java.lang.NullPointerException: Cannot invoke "org.mitre.oauth2.model.AuthenticationHolderEntity.getScope()" because the return value of "org.mitre.oauth2.model.OAuth2AccessTokenEntity.getAuthenticationHolder()" is null
	at it.infn.mw.iam.api.client.service.DefaultClientService.isValidAccessToken(DefaultClientService.java:142)
	at it.infn.mw.iam.api.client.service.DefaultClientService.lambda$deleteTokensByClient$1(DefaultClientService.java:150)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178)
	at java.base/java.util.Vector$VectorSpliterator.forEachRemaining(Vector.java:1470)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
	at it.infn.mw.iam.api.client.service.DefaultClientService.deleteTokensByClient(DefaultClientService.java:151)
	at it.infn.mw.iam.api.client.service.DefaultClientService.deleteClient(DefaultClientService.java:137)
...

The code lines that raise this exception are:
https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java#L148

Probably switching from a.getAuthenticationHolder().getScope() to a.getScope() should fix but we need to understand how this status has been reached.

We know that the token that cannot be deleted is a Registration Access Token that has a reference to an AutenticationHolderEntity that doesn't exists:

MySQL [iam]> select * from access_token where client_id = "128037";
+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+------------------+-----------+----------------+-------------+------------------+
| id      | token_value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | expiration | token_type | refresh_token_id | client_id | auth_holder_id | id_token_id | approved_site_id |
+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+------------------+-----------+----------------+-------------+------------------+
| 9507219 | >>SECRET<<
| NULL       | Bearer     |             NULL |    128037 |        2895438 |        NULL |             NULL |

MySQL [iam]> select * from authentication_holder where id = "2895438";
Empty set (0.001 sec)

Error observed on IAM v1.8.2p2 but potentially all IAM >= 1.8.0 are involved.
Needs further investigations.

federicaagostini commented 9 months ago

PR #689

Answer 1 · 2024-01-24T13:42:28.000Z

The origin of this issue is not clear. No further investigations are necessary because in any case, since v1.8.3 the involved tables of database are now linked by a foreign key constraint. Then, it's no more possible to have an auth_holder_id into access_token which is missing from authentication_holder.