- edited description
Exception thrown when calling AuthorizationServerMetadata.parse
When AuthorizationServerMetadata.parse is called at the line 2041-2042 of AuthorizationServerMetadata.java (https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/annotate/master/src/main/java/com/nimbusds/oauth2/sdk/as/AuthorizationServerMetadata.java?at=master), a ParseException is thrown: Unexpected type of JSON object member with key "mtls_endpoint_aliases".
This is because in the code
if (jsonObject.get("mtls_endpoint_aliases") != null)
as.mtlsEndpointAliases = AuthorizationServerEndpointMetadata.parse(JSONObjectUtils.getJSONObject(jsonObject, "mtls_endpoint_aliases"));
JSONObjectUtils.getJSONObject(jsonObject, "mtls_endpoint_aliases") returns a LinkedHashMap rather than JSONObject. However AuthorizationServerEndpointMetadata.parse expects a JSONObject.
The correct code in the line 2042 should convert the LinkedHashMap to JSONObject and then pass it to the parse function, for example,
AuthorizationServerEndpointMetadata.parse(JSONObjectUtils.parse(JSONObject.toJSONString((LinkedHashMap)jsonObject.get("mtls_endpoint_aliases"))))
We are currently completely stuck with this error when using the SDK in our project. Could you please have a look if it can be fixed and issued quickly so that we can make a progress on our project.
Thanks very much!
Comments (13)
-
reporter -
reporter - edited description
Updated the issue
-
- changed status to open
-
Can you paste a mini test that shows the bug?
Added a round - trip test that does parsing from String and JSONObject and there is no unexpected exception: b519b418
-
reporter I just found out the issue is not a real problem. For some reason, the SDK installed in our project was the version 7.1.3 rather than the version 9.9.1 we tried to use. It might be caused by the dependency installation of a SDK referenced by our project. When we correctly upgraded the package, the ParseException was gone.
Thanks a lot for looking into it. Could you please close the ticket?
-
reporter - marked as trivial
Due to the out of date version used wrongly, the issue is not an problem anymore. Sorry for raising the issue without checking the version carefully.
-
- changed status to invalid
That's alright. Every now and then we get issues reported that end up resolving when the correct version is applied.
-
Hello,
i’ve faced this issue when trying to read data from an issuer url of a Keycloak of the latest version. The data from Keycloak for the property “mtls_endpoint_aliases” looks like this:
"mtls_endpoint_aliases":{ "token_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/token", "revocation_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/revoke", "introspection_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/token/introspect", "device_authorization_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/auth/device", "registration_endpoint":"https://keycloakdomain/auth/realms/tcw/clients-registrations/openid-connect", "userinfo_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/userinfo", "pushed_authorization_request_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/ext/par/request", "backchannel_authentication_endpoint":"https://keycloakdomain/auth/realms/tcw/protocol/openid-connect/ext/ciba/auth" }
But the parse-Function of the class in the latest version will try to read the following properties:
public static AuthorizationServerEndpointMetadata parse(final JSONObject jsonObject) throws ParseException { AuthorizationServerEndpointMetadata as = new AuthorizationServerEndpointMetadata(); as.authzEndpoint = JSONObjectUtils.getURI(jsonObject, "authorization_endpoint", null); as.tokenEndpoint = JSONObjectUtils.getURI(jsonObject, "token_endpoint", null); as.regEndpoint = JSONObjectUtils.getURI(jsonObject, "registration_endpoint", null); as.introspectionEndpoint = JSONObjectUtils.getURI(jsonObject, "introspection_endpoint", null); as.revocationEndpoint = JSONObjectUtils.getURI(jsonObject, "revocation_endpoint", null); as.requestObjectEndpoint = JSONObjectUtils.getURI(jsonObject, "request_object_endpoint", null); as.parEndpoint = JSONObjectUtils.getURI(jsonObject, "pushed_authorization_request_endpoint", null); as.deviceAuthzEndpoint = JSONObjectUtils.getURI(jsonObject, "device_authorization_endpoint", null); as.backChannelAuthEndpoint = JSONObjectUtils.getURI(jsonObject, "backchannel_authentication_endpoint", null); return as; }
When I understand the processes in JSONObjectUtils correctly, already trying to read the “authorization_endpoint” leads to a ParseException.
Can you confirm this? Is there a workaround or should this be fixed?
Best regards,
Daniel -
Will add a test to see what’s going on.
Do you have the complete OP metadata JSON object returned from the server?
-
- changed status to open
-
Added test with sample JSON, passes: 8039c87f
-
Hello Yavor,
I’m sorry! I should have checked everything myself before adding to this, but I trusted the guys from Spring Security, who sent me here - me, and the person who added this bug for them: https://github.com/spring-projects/spring-security/issues/10666
After testing it manually, I’d assume it is a Spring Security issue and added a comment there.
Thank you for your reply!
Daniel -
- changed status to invalid
That's alright, thanks for the update. I'm closing the issue for now, but if there is indeed a bug here we'll fix it. Just give us a test vector and a stack trace.
- Log in to comment