0

I am trying to login using JWT token issued by External JWT Provider. When I use Reconcile API I got 500 error with following stack trace:

Aug 20, 2019 8:03:16.428 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
        at io.fusionauth.jwt.domain.JWT.lookupClaim(JWT.java:416)
        at io.fusionauth.jwt.domain.JWT.getString(JWT.java:347)
        at io.fusionauth.api.service.authentication.ExternalJWTIdentityProviderAuthenticationService.reconcile(ExternalJWTIdentityProviderAuthenticationService.java:90)
        at io.fusionauth.app.action.api.identityProvider.LoginAction.post(LoginAction.java:59)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:436)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:84)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:64)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:91)
        at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
        at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
        at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84)
        at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at com.inversoft.servlet.CORSFilter.handleNonCORS(CORSFilter.java:748)
        at com.inversoft.servlet.CORSFilter.doFilter(CORSFilter.java:646)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

Here is my decoded JWT payload:

{
  "user_name": "name.surname",
  "scope": [
    "read"
  ],
  "exp": 1566331043,
  "applicationId": "37cf7a75-6b3a-49d9-99d9-6f261c4f6851",
  "jti": "eddc15b6-f479-47c0-8d08-8b9aacf6dbe8",
  "email": "name.surname@domain.pl",
  "client_id": "37cf7a75-6b3a-49d9-99d9-6f261c4f6851"
}

“uniqueIdentityClaim” in provider config is set to “email”. I tried setting it to “user_name” too, but it does nothing. Looks like it searches for “null” claim at io.fusionauth.jwt.domain.JWT.lookupClaim(JWT.java:416) but I have no idea when and how could it pass null there, when the token has all fields filled. Any suggestions?

EDIT:

UPDATE: I tried to make it work and I noticed that it works in specific case. Here is part of the code:

        UUID appId = fusionAuthConfig.getApplication().id;
        LookupResponse lookupResponse = lambdaDelegate.execute(x -> x.lookupIdentityProvider("domain.pl"));
        IdentityProviderLoginRequest request = new IdentityProviderLoginRequest();
        request.identityProviderId = lookupResponse.identityProvider.id;
        request.applicationId = appId;
        request.setEncodedJWT(token);
        LoginResponse response = lambdaDelegate.execute(x -> x.reconcileJWT(request));
        return response;

When I debug on line 

        LoginResponse response = lambdaDelegate.execute(x -> x.reconcileJWT(request));

and wait a while, it works. There is no error, user is registered and logged in FusionAuth in my application and I am authorized in endpoints when I use returned token. Still trying to figure out why works when I debug on that line and wait.

Lechu67
  • 35
  • 5
  • That NPE looks to be using the unique claim name which is a required field, so that is strange that it appears to be looking up a null value. What version of FusionAuth are you running, in the latest released version you can enable debug in the config which will produce an event log to review. – robotdan Aug 20 '19 at 16:56

1 Answers1

0

I managed to resolve it. Problem was in using lambdaDelegate. When I removed '''

LookupResponse lookupResponse = lambdaDelegate.execute(x -> x.lookupIdentityProvider("domain.pl"));

''' it worked. I just had to pass identifyProviderUuid, not to lookup for it. Looks like there is some kind of conflict when 2 methods from FusionAuth are called one after another and the first one is not finished yet

Lechu67
  • 35
  • 5