Jason created TOMEE-4620:
----------------------------
Summary: Misspelled field accesToken in OIDC TokenResponse
prevents interoperability with custom JSON providers (Jackson)
Key: TOMEE-4620
URL: https://issues.apache.org/jira/browse/TOMEE-4620
Project: TomEE
Issue Type: Bug
Components: TomEE Core Server
Affects Versions: 10.1.5
Reporter: Jason
In the Jakarta Security OpenID Connect implementation, the class
{{org.apache.tomee.security.http.openid.model.TokenResponse}} contains a
spelling error in both its field definition and its getter method. The word
"access" is misspelled with a single "s" as {{{}accesToken{}}}.
While this typo is masked when using the default JSON-B provider (Apache
Johnzon) because it honours the {{@JsonbProperty(OpenIdConstant.ACCESS_TOKEN)}}
annotation during deserialisation, it breaks interoperability when an
application swaps or registers a global custom provider tier, such as Jackson
or an alternative ObjectMapper engine.
Because Jackson and other standard mapping engines natively translate the Java
field name {{accesToken}} into snake-case as {{{}acces_token{}}}, they fail to
bind the standard OIDC incoming JSON payload property {{access_token}} (spelled
with two 's' characters). This results in the field being bound as {{{}null{}}}.
Downstream, this silent {{null}} binding leads to an unhandled
{{NullPointerException}} inside TomEE's security lifecycle validation engine
when it attempts to run sequence-checks on the token (e.g., calling
{{.startsWith()}} on a null reference):
{quote}{{WARNING [http-nio-8080-exec-3]
org.apache.tomee.security.cdi.openid.OpenIdIdentityStore.createAccessToken
access_token is invalid: JWT processing failed.
Additional details: [[17] Unexpected exception encountered while processing
JOSE object (cause: java.lang.NullPointerException: Cannot invoke
"String.startsWith(String)" because "cs" is null): null]}}{quote}
*Proposed Fix:*
# Rename the internal field variable from {{accesToken}} to
{{{}accessToken{}}}.
# Rename the accompanying public getter method from {{getAccesToken()}} to
{{{}getAccessToken(){}}}.
*Additional Note:*
Although unrelated to my issue with the above, I also noted the same
misspelling in the class name:
org.apache.tomee.security.http.openid.model.TomEEAccesToken (missing the "s"
and should be *TomEEAccessToken*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)