Token request returning 500 when client_id is omitted

[anbraten]

Open ID token request error 500

Description

If I try to request a new access_token via the oauth token endpoint by using a code and basic auth headers with client_id:client_secret I am only getting 500 errors. I am using the panva/node-openid-client libary.

Steps to reproduce

Steps to reproduce the behavior:

1. Try to get tokens by using following request:

POST /oauth2/token HTTP/1.1
user-agent: openid-client/2.4.5 (https://github.com/panva/node-openid-client)
accept: application/json
authorization: Basic ZTQ3MWIxZmUtYjkxNi00YTY4LTk1NWMtNGM2N2FkNzQwN2UwOnpiNmx1NEtLQVlNWmRfd09YU0xJM0ctN3Q2QkFGVnli
accept-encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
content-length: 136
Host: auth.xxx.tdl
Connection: close

Body:
code: "c8sqAVNHj6m3Zvsn0Z3C30pBKvBkOHxVxJ9hSy_eEw0"
grant_type: "authorization_code"
redirect_uri: "http://localhost:8081/authenticate"

2. HTTP 500 is thrown

code: "[Exception]"
message: "FusionAuth encountered an unexpected error. Please contact support for assistance."

Error:

Dec 13, 2018 3:27:57.627 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
	at io.fusionauth.api.service.oauth2.DefaultOAuthService.validateTokenRequest(DefaultOAuthService.java:397) ~[fusionauth-api-1.3.0.jar:1.3.0]
	at io.fusionauth.app.action.oauth2.TokenAction.post(TokenAction.java:72) ~[fusionauth-app-1.3.0.jar:1.3.0]
	at sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source) ~[na:na]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_171]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_171]
	at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:436) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:84) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:64) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:112) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:91) ~[prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44) [prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50) [prime-mvc-1.11.1.jar:1.11.1]
	at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84) [prime-mvc-1.11.1.jar:1.11.1]
	at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59) [inversoft-maintenance-mode-0.12.5.jar:0.12.5]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.31]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.31]
	at com.inversoft.servlet.CORSFilter.handleNonCORS(CORSFilter.java:748) [inversoft-servlet-0.1.1.jar:0.1.1]
	at com.inversoft.servlet.CORSFilter.doFilter(CORSFilter.java:646) [inversoft-servlet-0.1.1.jar:0.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.31]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.31]
	at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27) [inversoft-servlet-0.1.1.jar:0.1.1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.31]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.31]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [catalina.jar:8.5.31]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.31]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) [catalina.jar:8.5.31]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.31]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.31]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.31]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.31]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-coyote.jar:8.5.31]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.31]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-coyote.jar:8.5.31]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468) [tomcat-coyote.jar:8.5.31]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.31]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_171]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_171]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.31]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]

Platform

• fusionauth 1.3 (docker)
• oauth client: panva/node-openid-client

My node-openid-client implementation

Issuer.discover(Config.get('auth.issuer'))
    .then((oicIssuer) => {
      Logger.debug(`[Auth] Discovered issuer: ${oicIssuer.issuer}`);
      issuserMetadata = oicIssuer.metadata;
      client = new oicIssuer.Client({
        client_id: Config.get('auth.client.id'),
        client_secret: Config.get('auth.client.secret'),
      });

      authorizationUri = client.authorizationUrl({
        redirect_uri: Config.get('auth.redirect_uri'),
        scope: 'openid email',
        state: `${csrfToken}`,
      });
      next();
    });

Error coming when running:

return client.authorizationCallback(Config.get('auth.redirect_uri'), query, { state: csrfToken })
    .then((auth) => {
      console.log('auth', auth);
    })
    .catch((error) => {
      Logger.error(`[Auth] ${error}`);
    });

[anbraten]

https://fusionauth.io/docs/v1/tech/oauth/endpoints
It could be due to me missing to send the client_id as a post parameter?! But providing the client_id 2 times (auth header and post parameters) feels strange to me anyways.

[robotdan]

Hi @Garogat - thanks for letting us know.

This is a bug, it will be patched in the next release. For now, to work-around this issue, please do provide the client_id in the request body. When you omit this parameter, you should have received a 400 with a JSON response body. There is a bug that is causing this not to happen correctly and then you see the NPE which causes a 500.

I agree with you, we should not require the client_id in the body when you are providing the client_id and client_secret in the authorization header.

I will correct this behavior.

[robotdan]

Fixed in release 1.3.1.

[anbraten]

Works great. Thanks.

Would be useful to add it to the Docs.
client_id (optional) is set by header or if no authentication is required must be provided as a parameter

[robotdan]

@Garogat Ha - oops, thanks for the reminder. I mean to update the doc as well. Done!

https://fusionauth.io/docs/v1/tech/oauth/endpoints#token

Let me know if you have any other questions on this issue. Thanks.