Fix invalid JWT headers NPE during delayed JWK resolution

Author: sberyozkin

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DynamicVerificationKeyResolver.java

@@ -19,6 +19,7 @@
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.common.OidcRequestContextProperties;
 import io.quarkus.runtime.ShutdownEvent;
+import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.credential.TokenCredential;
 import io.smallrye.mutiny.Uni;
 import io.vertx.core.Vertx;
@@ -47,6 +48,10 @@ public DynamicVerificationKeyResolver(OidcProviderClientImpl client, OidcTenantC
 
     public Uni<VerificationKeyResolver> resolve(TokenCredential tokenCred) {
         JsonObject headers = OidcUtils.decodeJwtHeaders(tokenCred.getToken());
+        if (headers == null) {
+            LOG.debug("Invalid JWT token format");
+            return Uni.createFrom().failure(new AuthenticationFailedException());
+        }
         Key key = findKeyInTheCache(headers);
         if (key != null) {
             return Uni.createFrom().item(new SingleKeyVerificationKeyResolver(key));

integration-tests/oidc/src/main/java/io/quarkus/it/keycloak/UsersResource.java

@@ -25,6 +25,13 @@ public User principalName() {
         return new User(identity.getPrincipal().getName());
     }
 
+    @GET
+    @Path("/me/jwk-delayed-resolution")
+    @RolesAllowed("user")
+    public User principalNameJwkDelayedResolution() {
+        return new User(identity.getPrincipal().getName());
+    }
+
     @GET
     @Path("/preferredUserName")
     @RolesAllowed("user")

integration-tests/oidc/src/main/resources/application.properties

@@ -14,18 +14,23 @@ quarkus.oidc.tls.trust-store-password=password
 quarkus.oidc.tls.key-store-file=target/certificates/oidc-client-keystore.p12
 quarkus.oidc.tls.key-store-password=password
 
+quarkus.oidc.jwk-delayed-resolution.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc.jwk-delayed-resolution.jwks.resolve-early=false
+quarkus.oidc.jwk-delayed-resolution.tls.tls-configuration-name=oidc-tls
+
 %tls-registry.quarkus.oidc.tls.tls-configuration-name=oidc-tls
-%tls-registry.quarkus.tls.oidc-tls.key-store.jks.path=target/certificates/oidc-client-keystore.p12
-%tls-registry.quarkus.tls.oidc-tls.key-store.jks.password=password
-%tls-registry.quarkus.tls.oidc-tls.trust-store.jks.path=target/certificates/oidc-client-truststore.p12
-%tls-registry.quarkus.tls.oidc-tls.trust-store.jks.password=password
-%tls-registry.quarkus.tls.oidc-tls.hostname-verification-algorithm=NONE
 %tls-registry.quarkus.oidc.tls.verification=
 %tls-registry.quarkus.oidc.tls.trust-store-file=
 %tls-registry.quarkus.oidc.tls.trust-store-password=
 %tls-registry.quarkus.oidc.tls.key-store-file=
 %tls-registry.quarkus.oidc.tls.key-store-password=
 
+quarkus.tls.oidc-tls.key-store.jks.path=target/certificates/oidc-client-keystore.p12
+quarkus.tls.oidc-tls.key-store.jks.password=password
+quarkus.tls.oidc-tls.trust-store.jks.path=target/certificates/oidc-client-truststore.p12
+quarkus.tls.oidc-tls.trust-store.jks.password=password
+quarkus.tls.oidc-tls.hostname-verification-algorithm=NONE
+
 quarkus.native.additional-build-args=-H:IncludeResources=.*\\.p12
 
 quarkus.http.cors.enabled=true
@@ -44,3 +49,7 @@ quarkus.http.auth.permission.basic.auth-mechanism=basic
 quarkus.http.auth.permission.bearer.paths=/bearer-only
 quarkus.http.auth.permission.bearer.policy=authenticated
 quarkus.http.auth.permission.bearer.auth-mechanism=bearer
+
+
+quarkus.log.category."io.quarkus.oidc.runtime".min-level=TRACE
+quarkus.log.category."io.quarkus.oidc.runtime".level=TRACE

integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/AbstractBearerTokenAuthorizationTest.java

@@ -2,6 +2,8 @@
 
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
 import java.util.Arrays;
 import java.util.concurrent.TimeUnit;
@@ -11,6 +13,7 @@
 import org.junit.jupiter.api.Test;
 
 import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.oidc.runtime.OidcUtils;
 import io.quarkus.test.keycloak.client.KeycloakTestClient;
 import io.quarkus.test.keycloak.client.KeycloakTestClient.Tls;
 import io.restassured.RestAssured;
@@ -154,6 +157,49 @@ public void testVerificationFailedInvalidToken() {
                         + OidcConstants.RESOURCE_METADATA_WELL_KNOWN_PATH + "\""));
     }
 
+    @Test
+    public void testVerificationFailedInvalidTokenHeaders() {
+        String token = getAccessToken("alice");
+        int ind = token.indexOf('.');
+        String invalidToken = "1" + token.substring(ind);
+        assertNull(OidcUtils.decodeJwtHeaders(invalidToken));
+        assertNotNull(OidcUtils.decodeJwtContent(invalidToken));
+        RestAssured.given().auth().oauth2(invalidToken)
+                .when().get("/api/users/me").then()
+                .statusCode(401)
+                .header("WWW-Authenticate", equalTo("Bearer resource_metadata=\"https://localhost:8081"
+                        + OidcConstants.RESOURCE_METADATA_WELL_KNOWN_PATH + "\""));
+    }
+
+    @Test
+    public void testVerificationEarlyJwkResolution() {
+        String token = getAccessToken("alice");
+        RestAssured.given().auth().oauth2(token)
+                .when().get("/api/users/me/jwk-delayed-resolution")
+                .then()
+                .statusCode(200)
+                .body("userName", equalTo("alice"));
+    }
+
+    @Test
+    public void testVerificationFailedInvalidTokenEarlyJwkResolution() {
+        RestAssured.given().auth().oauth2("123")
+                .when().get("/api/users/me/jwk-delayed-resolution").then()
+                .statusCode(401);
+    }
+
+    @Test
+    public void testVerificationFailedInvalidTokenHeadersEarlyJwkResolution() {
+        String token = getAccessToken("alice");
+        int ind = token.indexOf('.');
+        String invalidToken = "1" + token.substring(ind);
+        assertNull(OidcUtils.decodeJwtHeaders(invalidToken));
+        assertNotNull(OidcUtils.decodeJwtContent(invalidToken));
+        RestAssured.given().auth().oauth2(invalidToken)
+                .when().get("/api/users/me/jwk-delayed-resolution").then()
+                .statusCode(401);
+    }
+
     //see https://github.com/quarkusio/quarkus/issues/5809
     @RepeatedTest(20)
     public void testOidcAndVertxHandler() {