Jason created TOMEE-4620:
----------------------------

             Summary: Misspelled field accesToken in OIDC TokenResponse 
prevents interoperability with custom JSON providers (Jackson)
                 Key: TOMEE-4620
                 URL: https://issues.apache.org/jira/browse/TOMEE-4620
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Core Server
    Affects Versions: 10.1.5
            Reporter: Jason


In the Jakarta Security OpenID Connect implementation, the class 
{{org.apache.tomee.security.http.openid.model.TokenResponse}} contains a 
spelling error in both its field definition and its getter method. The word 
"access" is misspelled with a single "s" as {{{}accesToken{}}}.

While this typo is masked when using the default JSON-B provider (Apache 
Johnzon) because it honours the {{@JsonbProperty(OpenIdConstant.ACCESS_TOKEN)}} 
annotation during deserialisation, it breaks interoperability when an 
application swaps or registers a global custom provider tier, such as Jackson 
or an alternative ObjectMapper engine.

Because Jackson and other standard mapping engines natively translate the Java 
field name {{accesToken}} into snake-case as {{{}acces_token{}}}, they fail to 
bind the standard OIDC incoming JSON payload property {{access_token}} (spelled 
with two 's' characters). This results in the field being bound as {{{}null{}}}.

Downstream, this silent {{null}} binding leads to an unhandled 
{{NullPointerException}} inside TomEE's security lifecycle validation engine 
when it attempts to run sequence-checks on the token (e.g., calling 
{{.startsWith()}} on a null reference):

 
{quote}{{WARNING [http-nio-8080-exec-3] 
org.apache.tomee.security.cdi.openid.OpenIdIdentityStore.createAccessToken 
access_token is invalid: JWT processing failed. 
Additional details: [[17] Unexpected exception encountered while processing 
JOSE object (cause: java.lang.NullPointerException: Cannot invoke 
"String.startsWith(String)" because "cs" is null): null]}}{quote}
*Proposed Fix:*
 # Rename the internal field variable from {{accesToken}} to 
{{{}accessToken{}}}.

 # Rename the accompanying public getter method from {{getAccesToken()}} to 
{{{}getAccessToken(){}}}.

*Additional Note:*

Although unrelated to my issue with the above, I also noted the same 
misspelling in the class name: 
org.apache.tomee.security.http.openid.model.TomEEAccesToken (missing the "s" 
and should be *TomEEAccessToken*
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to