[Azure Oauth2] IllegalArgumentException: Attribute value for "xxx" is null #16340
Comments
jloisel
added
status: waiting-for-triage
jloisel
changed the title
|
Code failing on Spring Security side: public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes,
String nameAttributeKey) {
Assert.notEmpty(attributes, "attributes cannot be empty");
Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
Assert.notNull(attributes.get(nameAttributeKey),
"Attribute value for '" + nameAttributeKey + "' cannot be null");
this.authorities = (authorities != null)
? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
: Collections.unmodifiableSet(new LinkedHashSet<>(AuthorityUtils.NO_AUTHORITIES));
this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
this.nameAttributeKey = nameAttributeKey;
}If we use "preferred_username" as attribute: If we use "sub" as name attribute key, we are able to proceed further into our @Override
public void onAuthenticationSuccess(
final HttpServletRequest request,
final HttpServletResponse response,
final Authentication authentication) throws IOException {
final OAuth2AuthenticationToken token = (OAuth2AuthenticationToken) authentication;
final String registrationId = token.getAuthorizedClientRegistrationId();
final OAuth2User p = token.getPrincipal();
final Pair<String, String> pair = repository.getUsernameSuffixAndAllowedDomains(registrationId);
final String username = lowerCase(getUsername(p, pair.getKey()));
log.error(
"[SSO] id='{}', username='{}', attrs='{}', domains='{}'",
registrationId, username, p.getAttributes(), allowedDomains
);
....
}Where we can see that all attributes are there:
That means, "preferred_username" is an attribute but it's not working, despite being there. |
|
I have more info about the issue after debugging. The issue is in @Override
public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
Assert.notNull(userRequest, "userRequest cannot be null");
OidcUserInfo userInfo = null;
if (this.retrieveUserInfo.test(userRequest)) {
OAuth2User oauth2User = this.oauth2UserService.loadUser(userRequest);
Map<String, Object> claims = getClaims(userRequest, oauth2User);
userInfo = new OidcUserInfo(claims);
// https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
// 1) The sub (subject) Claim MUST always be returned in the UserInfo Response
if (userInfo.getSubject() == null) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
// 2) Due to the possibility of token substitution attacks (see Section
// 16.11),
// the UserInfo Response is not guaranteed to be about the End-User
// identified by the sub (subject) element of the ID Token.
// The sub Claim in the UserInfo Response MUST be verified to exactly match
// the sub Claim in the ID Token; if they do not match,
// the UserInfo Response values MUST NOT be used.
if (!userInfo.getSubject().equals(userRequest.getIdToken().getSubject())) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
}
return this.oidcUserMapper.apply(userRequest, userInfo);
}First, the Oauth2 user is created using OAuth2User oauth2User = this.oauth2UserService.loadUser(userRequest);In this case, the user has only limited attributes (4 in our case, like "sub"). Later on: return this.oidcUserMapper.apply(userRequest, userInfo);Which delegates to: org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequestUtils#getUserThis is where the The bug is in Assert.notNull(attributes.get(nameAttributeKey),
"Attribute value for '" + nameAttributeKey + "' cannot be null");Checking for The bug has been introduced in this commit: This check cannot be performed this early. |
….getName() Signed-off-by: jloisel <[email protected]>
|
Hi, This bug is preventing us from using Oauth2 authentication. I suspect it's breaking any oauth2 integration which has the username-attribute claim provided by the userinfo endpoint. Can you please take a look? Best Regards, |
|
Associated pull request: #16546 |
|
@jloisel thanks for following up on this, and apologies that we didn't see this earlier.
I have personally used the Can you please put together a minimal reproducer that includes your Spring Security |
sjohnr
added
status: waiting-for-feedback
|
Hi, I understand you are probably quite busy! You will have to find a provider which doesn't provide the user-name-attribute in in the first claims. I don't know which other SSO provider works that way. We also have a Google SSO integration and this one works well (but all claims are provided by the first call). You don't even need any specific Spring Security configuration. You can use a sample SSO, as long as you use Azure SSO (maybe other SSO providers working same way as Azure are broken too). application.yml: (use your own clientId / clientSecret and TENANT_ID) spring.security.oauth2.client:
registration:
azure:
client-id: XXX
client-secret: XXX
name: "Azure"
scope: openid,profile,email
client-authentication-method: client_secret_basic
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
client-name: azure
provider:
azure:
authorization-uri: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
token-uri: "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
user-info-uri: "https://graph.microsoft.com/oidc/userinfo"
jwk-set-uri: "https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys"
issuer-uri: "https://login.microsoftonline.com/TENANT_ID/v2.0"
user-name-attribute: preferred_usernameYou can use the default login page and try to login. It will fail with a null pointer if the user-name-attribute is not provided in the first claims. |
spring-projects-issues
added
status: feedback-provided
If I can't get a developer account, I often just write integrations tests or customize Spring Authorization Server to emulate the misbehaving or problematic provider. I can handle that no problem. Thanks for the config. |
|
Hi @sjohnr Do you have any update on this issue? Regards, |
|
Not yet @jloisel. I will add this to my list for this week and see if I can look into it. |
|
Hi @jloisel, I have not attempted to test Azure directly, but I have a test set up with Spring Authorization Server and I can easily reproduce. The way I reproduced the issue was to ensure that the ID Token contains an The Have you tried setting |
sjohnr
added
status: waiting-for-feedback
|
Hi, We have used "email" as well and it doesn't work, because Azure returns it via userinfo claims. Only "sub" attribute works, but it's an internal azure id which cannot be used as the username. Anything else fails with a null pointer. |
spring-projects-issues
added
status: feedback-provided
I think that would mean that it is not returned from the UserInfo endpoint. This would mean that Azure's UserInfo Endpoint is not spec-compliant. Can you try something else for me? Please try commenting out the |
|
We had initially setup the sso integration with openid scope only. But, as it contained only cryptic fields like "sub", we could not map any of the fields to a valid username. We added email and profile scopes later on, with the result described before. The userinfo endpoint being called is not the issue. It provides the correct and meaningful claims later on if we configure "user-name-attribute" with a claim such as "sub" (we did this trying to find out workarounds). It's just too late because Spring fails much earlier when trying to instantiate If the user-name-attribute claim is only provided by the userinfo endpoint, Spring fails with an NPE before getting to call the userinfo endpoint. |
The
The ID token contains the claims you are talking about here. Claims from both UserInfo and the ID token are later combined to create a Please try the suggested workaround
and report back. I want to make sure I understand how the provider is behaving, as that is critical information for determining how to proceed. |
sjohnr
added
status: waiting-for-feedback
|
Hi, I have tested the following:
Here is a screenshot debugging the claims just before it throws the NPE:
First stack:
On second instantiation (withint the same flow of execution, later on), stack:
It does not fail NPE as "sub" is there on first instantiation, but not usable as a valid username. When userinfo endpoint is provided, and scopes include "email,profile", then "preferred_username" is present the second time Spring instantiates the DefaultOauth2User. But, the first time, when the minimal Default2OauthUser is instantiated, the claim is not there. I have hidden sensitive information in screenshots. |
spring-projects-issues
added
status: feedback-provided
|
Thanks @jloisel. Unfortunately, the combination I had hoped for, you have not tested yet according to the above. Apologies if I was unclear. In your config example, please try commenting out the |
|
Hi, Thanks for the suggestion! I tried it and it's working: (no
I had tried many combinations of settings but didn't thought of removing the user-info-uri (as I thought it was mandatory to work). I guess we can close the issue as it's a misconfiguration from our side. |
|
Thanks for confirming that works, @jloisel. We at least have a workaround to provide.
I don't actually think it is a misconfiguration on your part. The issue is that Microsoft publishes the UserInfo Endpoint URI ( To go any farther, I wanted to make sure I fully understood the provider behavior. One last question I have about that (as I don't have access to an environment I can look at for this information): Do you know of any configuration on the Azure side that would adjust the response for the UserInfo Endpoint? Meaning, is the behavior we're seeing here specific to your configuration, or are you using a generic environment and this behavior (missing claims in the UserInfo response) would be universal across environments? |
|
I don't know how Azure SSO is configured as one of our client did the configuration. They didn't indicate any special configuration from their side. We just got client id and secret from them. I used the well-known open-id configuration to manually configure the sso integration on our side. I don't think the issue here is specific to our configuration. We use spring boot oauth2 authentication without any customisation for our third party SSO integrations. It can be worth documenting this odd behavior and suggest to users stuck with the same issue to try removing the What was misleading was the fact changing the I would expect other users to run into this issue as well. |
|
Thanks @jloisel. I have created an Azure AD B2C tenant on a trial account to test whether this is an out-of-the-box experience. It appears that the UserInfo Endpoint from Microsoft Graph API always behaves this way by default. While it is possible to customize the UserInfo Endpoint as part of a custom policy, I doubt that's a viable option in general. I'm not yet certain of a minimal fix for this issue in the framework that doesn't negatively affect other flows. I'm going to leave this issue open to document the workaround (there are also other possible workarounds) while looking for a solution. |
|
@jloisel I've opened gh-16843 to track a possible enhancement for Spring Security 7. That enhancement would address this issue, but is a breaking change. We are considering whether this is the right direction to go in 7, or if there are other alternatives. I'm not aware of any alternatives at the moment. |
|
Thanks for the insight! The workaround is working in our situation. |
|
Had the same problem, while learning Spring Security Oauth. Self-made "client" was just redirecting me back to auth page and had "IllegalArgumentException: Attribute value for "id" is null" in console. I just added claim"id" with username as a value to jwt on Oauth server side and everything worked fine. |
Hi,
We are having the following issue when trying to configure Azure SSO Authentication using Spring Security Oauth2:
Seems linked to #15338.
If we use "sub" username attribute, there is no longer the issue (but sub cannot be mapped to an email on our system), but we can dump the user in an
Oauth2AuthenticationSuccessHandler:The claims have "preferred_username" in
Oauth2AuthenticationSuccessHandlerbut if we use any asuser-name-attributeit fails with a null pointer exception (despite being in the user claims afterwards).I believe the null check is done too early and claims seem to be filled afterwards.
We are using Spring Security 6.4.2, Spring Boot 3.4.1.
The text was updated successfully, but these errors were encountered: