Skip to content

NullPointerException when not specifying the token_type_hint for the revoke token endpoint #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lspil opened this issue Nov 28, 2020 · 4 comments
Closed

NullPointerException when not specifying the token_type_hint for the revoke token endpoint #170

lspil opened this issue Nov 28, 2020 · 4 comments
Assignees
@lspil
Labels
status: duplicate A duplicate of another issue

Comments

@lspil
Copy link

lspil commented Nov 28, 2020

Hi. I got a new issue. If I omit to specify the token_type_hint request parameter for the revocation token I get a NullPointerException.
In my opinion, I should get a 4XX HTTP status with a nice message as it happens if I omit the token for example (or for the other endpoints like /token). Please let me know if you consider this an issue as well and if yes, you can assign it to me. I can take care of it.

Steps to reproduce: Call the /oauth2/revoke endpoint without specifying the token_type_hint request parameter.

Result:

java.lang.NullPointerException: Cannot invoke "org.springframework.security.oauth2.server.authorization.TokenType.getValue()" because "tokenType" is null
at org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService.hasToken(InMemoryOAuth2AuthorizationService.java:67) ~[main/:na]
at org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService.lambda$findByToken$0(InMemoryOAuth2AuthorizationService.java:61) ~[main/:na]
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) ~[na:na]
at java.base/java.util.concurrent.ConcurrentHashMap$ValueSpliterator.tryAdvance(ConcurrentHashMap.java:3620) ~[na:na]
at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[na:na]
at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:na]
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 28, 2020
@lspil
Copy link
Author

lspil commented Nov 28, 2020

So, I actually see this paramters is OPTIONAL in the RFC. So I guess if it's not given, the authorization server should be able to find the token without the hint. Still, it shouldn't throw a NullPointerException

token_type_hint OPTIONAL. A hint about the type of the token
submitted for revocation. Clients MAY pass this parameter in
order to help the authorization server to optimize the token
lookup. If the server is unable to locate the token using
the given hint, it MUST extend its search across all of its
supported token types. An authorization server MAY ignore
this parameter, particularly if it is able to detect the
token type automatically. This specification defines two
such values:

       * access_token: An access token as defined in [RFC6749],
         Section 1.4

       * refresh_token: A refresh token as defined in [RFC6749],
         Section 1.5

@lspil
Copy link
Author

lspil commented Nov 28, 2020

https://tools.ietf.org/html/rfc7009#section-2.1

@jgrandja
Copy link
Collaborator

Thanks for reporting this @lspil. This is indeed a bug at:

https://github.com/spring-projects-experimental/spring-authorization-server/blob/06bf391bfa9c274a75cf04f0777ece2ce8aa1cee/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java#L67

Thanks for taking this on!

@jgrandja jgrandja added this to the 0.1.0 milestone Nov 30, 2020
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 30, 2020
@rozagerardo rozagerardo mentioned this issue Dec 2, 2020
Closed
This was referenced Dec 6, 2020
Closed
Closed
@jgrandja
Copy link
Collaborator

jgrandja commented Dec 8, 2020

Closing as duplicate of #174. See comment

@jgrandja jgrandja closed this as completed Dec 8, 2020
@jgrandja jgrandja removed this from the 0.1.0 milestone Dec 8, 2020
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: bug A general bug labels Dec 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lspil lspil

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgrandja @spring-projects-issues @lspil