[ 
https://issues.apache.org/jira/browse/TOMEE-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Markus Jung updated TOMEE-4620:
-------------------------------
    Affects Version/s: 11.0.0-M1

> Misspelled field accesToken in OIDC TokenResponse prevents interoperability 
> with custom JSON providers (Jackson)
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: TOMEE-4620
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4620
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 11.0.0-M1, 10.1.5
>            Reporter: Jason
>            Assignee: Markus Jung
>            Priority: Major
>
> In the Jakarta Security OpenID Connect implementation, the class 
> {{org.apache.tomee.security.http.openid.model.TokenResponse}} contains a 
> spelling error in both its field definition and its getter method. The word 
> "access" is misspelled with a single "s" as {{{}accesToken{}}}.
> While this typo is masked when using the default JSON-B provider (Apache 
> Johnzon) because it honours the 
> {{@JsonbProperty(OpenIdConstant.ACCESS_TOKEN)}} annotation during 
> deserialisation, it breaks interoperability when an application swaps or 
> registers a global custom provider tier, such as Jackson or an alternative 
> ObjectMapper engine.
> Because Jackson and other standard mapping engines natively translate the 
> Java field name {{accesToken}} into snake-case as {{{}acces_token{}}}, they 
> fail to bind the standard OIDC incoming JSON payload property 
> {{access_token}} (spelled with two 's' characters). This results in the field 
> being bound as {{{}null{}}}.
> Downstream, this silent {{null}} binding leads to an unhandled 
> {{NullPointerException}} inside TomEE's security lifecycle validation engine 
> when it attempts to run sequence-checks on the token (e.g., calling 
> {{.startsWith()}} on a null reference):
>  
> {quote}{{WARNING [http-nio-8080-exec-3] 
> org.apache.tomee.security.cdi.openid.OpenIdIdentityStore.createAccessToken 
> access_token is invalid: JWT processing failed. 
> Additional details: [[17] Unexpected exception encountered while processing 
> JOSE object (cause: java.lang.NullPointerException: Cannot invoke 
> "String.startsWith(String)" because "cs" is null): null]}}{quote}
> *Proposed Fix:*
>  # Rename the internal field variable from {{accesToken}} to 
> {{{}accessToken{}}}.
>  # Rename the accompanying public getter method from {{getAccesToken()}} to 
> {{{}getAccessToken(){}}}.
> *Additional Note:*
> Although unrelated to my issue with the above, I also noted the same 
> misspelling in the class name: 
> org.apache.tomee.security.http.openid.model.TomEEAccesToken (missing the "s" 
> and should be *TomEEAccessToken*
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to