Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authorization-services
Describe the bug
I am trying to use DPoP feature, for that I have created a new
realm apps with two clients web-console and api-server
realm-export (2).json
DPOP is not being enabled on any of the client yet and trying to get the token as below
curl --location 'http://localhost:8080/realms/apps/protocol/openid-connect/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'username=admin'
--data-urlencode 'password=admin'
--data-urlencode 'grant_type=password'
--data-urlencode 'client_id=web-console'
--data-urlencode 'client_secret=usHQmU2n73XINAdyHJi6WDT8sutnbjD3'
--data-urlencode 'scope=openid'
using access token again calling permissin api as below
curl --location 'http://localhost:8080/realms/apps/protocol/openid-connect/token'
--header 'Authorization: Bearer ...'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket'
--data-urlencode 'audience=api-server'
Version
26.0.7
Regression
- The issue is a regression
Expected behavior
should return
{
'result': true
}
Actual behavior
{
"error": "unknown_error",
"error_description": "For more on this error consult the server log."
}
2025-01-07 14:33:34 2025-01-07 09:03:34,463 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-238) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper.isUseDPoP()" because "clientConfig" is null
2025-01-07 14:33:34 at org.keycloak.services.util.DPoPUtil.retrieveDPoPHeaderIfPresent(DPoPUtil.java:157)
2025-01-07 14:33:34 at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:145)
2025-01-07 14:33:34 at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source)
2025-01-07 14:33:34 at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
2025-01-07 14:33:34 at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
2025-01-07 14:33:34 at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
2025-01-07 14:33:34 at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
2025-01-07 14:33:34 at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
2025-01-07 14:33:34 at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
2025-01-07 14:33:34 at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
2025-01-07 14:33:34 at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
2025-01-07 14:33:34 at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
2025-01-07 14:33:34 at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2025-01-07 14:33:34 at java.base/java.lang.Thread.run(Thread.java:1583)
2025-01-07 14:33:34
How to Reproduce?
create the realm using import attached realm exported file and call the two api using curl/postman
Anything else?
It is impacting server side fine grained authorisation for the client not using DPOP feature