Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent possible NPE in OIDC BackChannelLogoutHandler #29037

Merged
merged 1 commit into from
Nov 4, 2022
Merged

Prevent possible NPE in OIDC BackChannelLogoutHandler #29037

merged 1 commit into from
Nov 4, 2022

Conversation

sberyozkin
Copy link
Member

As discovered by @pjgg, OIDC BackChannelLogoutHandler can throw NPE if no tenant configuration matching the back channel logout request has been found. BackChannelLogoutHandler checks if the tenant context is null and logs a message but currently forgets end the request, leading to a later NPE where this context is accessed.
OIDC back channel logout spec requires 400 be returned if the logout request is invalid or has failed for whatever reasons, so 400 is returned in this case, https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse

@sberyozkin sberyozkin requested a review from gastaldi November 3, 2022 13:23
gastaldi
gastaldi approved these changes Nov 3, 2022
View reviewed changes
Copy link
Contributor

@gastaldi gastaldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks okay, just added a minor observation

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/BackChannelLogoutHandler.java
@@ -59,6 +59,9 @@ public void handle(RoutingContext context) {
LOG.debugf(
"Tenant configuration for the tenant %s is not available or does not match the backchannel logout path",
oidcTenantConfig.getTenantId().get());
context.response().setStatusCode(400);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wish we could include the reason in the response. Returning a client error without any reason will make it harder to debug situations where this happens

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gastaldi I see, but note this one will be returned to Keycloak directly, not to Quarkus user; besides this is a case where the fact Quarkus can't find the matching configuration is probably not something we'd like to say to the outside world, logging it for the users to trace seems reasonable. Perhaps we can make this one an ERROR-level message though, what do you think ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if that's a good idea as clients could easily fill the logs with this information because the request is invalid

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gastaldi I changed the log level to error, hope it is better

@gsmet
Copy link
Member

gsmet commented Nov 3, 2022

@sberyozkin no 2.13 backport, it's a new feature in 2.14?

@sberyozkin
Copy link
Member Author

@gsmet It is not a new feature, @pjgg has spotted a problem during the QE check

@sberyozkin
Copy link
Member Author

Sorry, forgot 2.14 has been branched :-)

@sberyozkin sberyozkin force-pushed the back_channel_logout_npe branch from 9a01340 to 0ff7788 Compare November 3, 2022 13:58
@quarkus-bot quarkus-bot bot added the area/oidc label Nov 3, 2022
@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin
Copy link
Member Author

sberyozkin commented Nov 3, 2022
edited
Loading

@gastaldi I've checked the spec, they only advise An error value of invalid_request MAY be used to indicate that there was a problem with the syntax of the logout request with the possible optional description but that is not related to this NPE problem, and I'm not sure helping the invalid request debugging is a security sound idea either, Keycloak or other provider either works and sends properly formatted requests or it does not support it at all... For now it feels like we are OK...

@sberyozkin sberyozkin force-pushed the back_channel_logout_npe branch from 0ff7788 to 7ed539c Compare November 3, 2022 23:35
@quarkus-bot
Copy link

quarkus-bot bot commented Nov 4, 2022

Failing Jobs - Building 7ed539c

Status Name Step Failures Logs Raw logs
✔️ JVM Tests - JDK 11
✔️ JVM Tests - JDK 17
JVM Tests - JDK 17 MacOS M1 Set up runner ⚠️ Check → Logs Raw logs
✔️ JVM Tests - JDK 18

@sberyozkin sberyozkin merged commit 61e05a9 into quarkusio:main Nov 4, 2022
@sberyozkin sberyozkin deleted the back_channel_logout_npe branch November 4, 2022 09:49
@quarkus-bot quarkus-bot bot added this to the 2.15 - main milestone Nov 4, 2022
@gsmet gsmet modified the milestones: 2.15 - main, 2.14.1.Final Nov 5, 2022
@gsmet gsmet modified the milestones: 2.14.1.Final, 2.13.4.Final Nov 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

Assignees
No one assigned
Labels
area/oidc
Projects
None yet
Milestone
2.13.4.Final
Development

Successfully merging this pull request may close these issues.
3 participants
@sberyozkin @gsmet @gastaldi