Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

HashedSharedSecretValidator does not catch null value #3404

Closed
MPapst opened this issue Jul 9, 2019 · 2 comments
Closed

HashedSharedSecretValidator does not catch null value #3404

MPapst opened this issue Jul 9, 2019 · 2 comments
Labels
bug
Milestone
2.5

Comments

@MPapst
Copy link

MPapst commented Jul 9, 2019

The HashedSharedSecretValidator does not check for nulls before trying to Convert from Base64.

Issue / Steps to reproduce the problem

Good question. Actually I do not know what is causing this.

I added to a working instance of IdentityServer4 (v2.4.0) a MVC Client as described in the samples. Whenever I try to Authenticate from that MVC Client, I am getting an HTML Error Page send back to the Client using Post instead of the Json Token.
I already tried the sample MVC Client and the same happens, so it seems to be related to the IdentityServer configuration(?).

Nevertheless - as I am still investigating this issue offline - a better exception message could have already helped me finding the position.

Relevant parts of the log file

[15:18:50 VRB] Calling into client configuration validator: IdentityServer4.Validation.DefaultClientConfigurationValidator
[15:18:50 DBG] client configuration validation for client ManagementAPIClient succeeded.
[15:18:50 FTL] Unhandled exception: Value cannot be null.
Parameter name: s
System.ArgumentNullException: Value cannot be null.
Parameter name: s
   at System.Convert.FromBase64String(String s)
   at IdentityServer4.Validation.HashedSharedSecretValidator.ValidateAsync(IEnumerable`1 secrets, ParsedSecret parsedSecret) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\src\Validation\Default\HashedSharedSecretValidator.cs:line 71
   at IdentityServer4.Validation.SecretValidator.ValidateAsync(ParsedSecret parsedSecret, IEnumerable`1 secrets) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\src\Validation\Default\SecretValidator.cs:line 59
   at IdentityServer4.Validation.ClientSecretValidator.ValidateAsync(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\src\Validation\Default\ClientSecretValidator.cs:line 83
   at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\src\Endpoints\TokenEndpoint.cs:line 78
   at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\src\Endpoints\TokenEndpoint.cs:line 70
   at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in C:\local\identity\server4\IdentityServer4\src\IdentityServer4\src\Hosting\IdentityServerMiddleware.cs:line 54
@brockallen brockallen added the bug label Jul 9, 2019
@brockallen brockallen added this to the 2.5 milestone Jul 9, 2019
@brockallen
Copy link
Member

Fixed. Thanks.

brockallen added a commit that referenced this issue Jul 9, 2019
@brockallen
Handle null secret in HashedSharedSecretValidator #3404
7be6a8d
@lock
Copy link

lock bot commented Jan 11, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
2.5
Development

No branches or pull requests
2 participants
@brockallen @MPapst