Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
No response
Describe the bug
Issue
Due to lack of documentation on exactly what AIA are available and what strings are required to trigger them I have been testing different values for kc_action. I have discovered an invalid string is not ignored but rather causes a java.lang.NullPointerException
Version
26.1.2
Regression
- The issue is a regression
Expected behavior
Any invalid kc_action will be ignored and login will continue as expected
Actual behavior
Login is halted due to error message.
Server logs an exception:
2025-02-20 09:12:39,206 WARN [org.keycloak.services] (executor-thread-1) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.authentication.RequiredActionProvider.getMaxAuthAge()" because "requiredActionProvider" is null
at org.keycloak.protocol.oidc.OIDCLoginProtocol.isReAuthRequiredForKcAction(OIDCLoginProtocol.java:530)
at org.keycloak.protocol.oidc.OIDCLoginProtocol.requireReauthentication(OIDCLoginProtocol.java:494)
at org.keycloak.authentication.authenticators.browser.CookieAuthenticator.authenticate(CookieAuthenticator.java:61)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:465)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:291)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1079)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:917)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:147)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:380)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:223)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:117)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
2025-02-20 09:12:39,220 WARN [org.keycloak.events] (executor-thread-1) type="LOGIN_ERROR", realmId="mukuru", realmName="mukuru", clientId="oauth-tester", userId="null", ipAddress="81.132.85.165", error="invalid_user_credentials", auth_method="openid-connect", auth_type="code", response_type="code", redirect_uri="https://oauth-tester.mukuru.dev/login", code_id="f1d16714-00b8-45a2-877d-a72cb4a15230", response_mode="query"
How to Reproduce?
Add any non-existing RequiredActionProvider to kc_action parameter in a login request. For example: kc_action=test.
Anything else?
No response