sventorben/keycloak-home-idp-discovery

[BUG] NullpointExceptions on getAuthenticatorConfig during required actions

Closed this issue · 0 comments

derlin commented

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

First, thank you for this great SPI!

I am facing NullPointerException in multiple contexts that are unfortunately inconsistent and hard to reproduce. It usually happens during a kc_action such as UPDATE_EMAIL, CONFIGURE_TOTP, etc. When the user is redirected to keycloak (using the kc_action=CONFIGURE_XXX parameter), he sometimes encounter a 500.

Stacktrace:

2024-11-11 15:19:30,595 WARN  [org.keycloak.services] (executor-thread-16982) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.AuthenticatorConfigModel.getConfig()" because the return value of "org.keycloak.authentication.AuthenticationFlowContext.getAuthenticatorConfig()" is null
	at de.sventorben.keycloak.authentication.hidpd.AuthenticationChallenge.forceChallenge(AuthenticationChallenge.java:35)
	at de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoveryAuthenticator.authenticate(HomeIdpDiscoveryAuthenticator.java:47)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:442)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:268)
	at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1071)
	at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:909)
	at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
	at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

When this happens, the user needs to logout/login again, and sometimes even this doesn't work and the only workaround is to restart keycloak.

I have been facing this issue for quite a while, more and more locally since the upgrade to keycloak 25, and it is now showing in production too.

Expected Behavior

Ideally, a 500 should never happen and the SPI should deal properly with null authentication contexts. Since actions are not part of a flow, I believe this is not related to a misconfiguration on our part.

Steps To Reproduce

I am still working on trying to identify what causes this, but so far to no avail.

More context: we have 2 "private IDPs" using the home-idp-discovery mapped to 2 domains each, and 2 public idps that use the regular buttons in the login. The error may happen on all users (authenticated with any method) as far as I can tell.

Version

- Keycloak: 25.0.6
- This extension: 25.0.0 (currently testing on 25.0.1)

Anything else?

I am in the process of updating and testing with keycloak 26, but since this issue is present for a while and is intermittent, I prefer to open the issue now.