mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2025-12-16 20:15:46 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix NPE in JWT authenticators (#44941)

Browse Source 
Closes #44940

Signed-off-by: stianst <stianst@gmail.com>
This commit is contained in:
Stian Thorgersen
2025-12-16 14:41:14 +01:00
committed by GitHub
parent 33e3e680be
commit 5ae60f3513
3 changed files with 20 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
services/src/main/java/org/keycloak/authentication/authenticators/client/FederatedJWTClientAuthenticator.java
View File

@@ -23,6 +23,7 @@ import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.resources.IdentityBrokerService;
import org.jboss.logging.Logger;
@@ -79,13 +80,14 @@ public class FederatedJWTClientAuthenticator extends AbstractClientAuthenticator
context.attempted();
ClientAssertionState clientAssertionState = context.getState(ClientAssertionState.class, ClientAssertionState.supplier());
if (clientAssertionState == null || clientAssertionState.getClientAssertionType() == null) {
return;
}
JsonWebToken jwt = clientAssertionState.getToken();
// Ignore for self-signed client assertions
if (Objects.equals(clientAssertionState.getToken().getIssuer(), clientAssertionState.getToken().getSubject())) {
if (jwt != null && Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
return;
}

2
services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
View File

@@ -68,6 +68,7 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
ClientAssertionState clientAssertionState = context.getState(ClientAssertionState.class, ClientAssertionState.supplier());
JsonWebToken jwt = clientAssertionState.getToken();
if (jwt != null) {
// Ignore for client assertions signed by third-parties
if (!Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
return;
@@ -76,6 +77,7 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
if (clientAssertionState.getClient() == null) {
clientAssertionState.setClient(context.getRealm().getClientByClientId(jwt.getSubject()));
}
}
JWTClientValidator validator = new JWTClientValidator(context, this::verifySignature, getId());

2
services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientSecretAuthenticator.java
View File

@@ -59,6 +59,7 @@ public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
ClientAssertionState clientAssertionState = context.getState(ClientAssertionState.class, ClientAssertionState.supplier());
JsonWebToken jwt = clientAssertionState.getToken();
if (jwt != null) {
// Ignore for client assertions signed by third-parties
if (!Objects.equals(jwt.getIssuer(), jwt.getSubject())) {
return;
@@ -67,6 +68,7 @@ public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
if (clientAssertionState.getClient() == null) {
clientAssertionState.setClient(context.getRealm().getClientByClientId(jwt.getSubject()));
}
}
JWTClientValidator validator = new JWTClientValidator(context, this::verifySignature, getId());
if (!validator.validate()) return;