DefaultClaimSanitizationStrategy throws NPE when sanitizing null value claims. There should not be null value claims but unfortunately there are and OIDC RP should somwhow cope with them.
The outcome of this is that upstream authentication fails if OP sends a null value claim for instance in UserInfo response.
2024-10-09 05:22:24,392 - 193.166.85.248 - idp-sauth.k8s.dev-sa.csc.fi - ERROR [net.shibboleth.idp.authn:35] - Uncaught runtime exception java.lang.NullPointerException: null at java.base/java.util.Objects.requireNonNull(Objects.java:209) 2024-10-09 05:22:24,392 - 193.166.85.248 - idp-sauth.k8s.dev-sa.csc.fi - ERROR [net.shibboleth.idp.authn:35] - Uncaught runtime exception java.lang.NullPointerException: null at java.base/java.util.Objects.requireNonNull(Objects.java:209) at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:180) at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169) at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179) at java.base/java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1850) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) at net.shibboleth.idp.plugin.authn.oidc.rp.impl.DefaultClaimSanitizationStrategy.apply(DefaultClaimSanitizationStrategy.java:64) at net.shibboleth.idp.plugin.authn.oidc.rp.impl.DefaultClaimSanitizationStrategy.apply(DefaultClaimSanitizationStrategy.java:34) at net.shibboleth.idp.plugin.authn.oidc.rp.impl.ProcessEndUserClaims.doExecute(ProcessEndUserClaims.java:274)
Environment
None
Activity
Philip Smart
March 26, 2025 at 10:40 AM
Reopen to change fix version
Philip Smart
October 9, 2024 at 10:06 AM
I think the most obvious thing to do is to remove claims with null values from the resultant claims set.
Philip Smart
October 9, 2024 at 9:26 AM
We had no test coverage for a null claim value. I’ve added that as a start.
DefaultClaimSanitizationStrategy throws NPE when sanitizing null value claims. There should not be null value claims but unfortunately there are and OIDC RP should somwhow cope with them.
The outcome of this is that upstream authentication fails if OP sends a null value claim for instance in UserInfo response.
2024-10-09 05:22:24,392 - 193.166.85.248 - idp-sauth.k8s.dev-sa.csc.fi - ERROR [net.shibboleth.idp.authn:35] - Uncaught runtime exception
java.lang.NullPointerException: null
at java.base/java.util.Objects.requireNonNull(Objects.java:209)
2024-10-09 05:22:24,392 - 193.166.85.248 - idp-sauth.k8s.dev-sa.csc.fi - ERROR [net.shibboleth.idp.authn:35] - Uncaught runtime exception
java.lang.NullPointerException: null
at java.base/java.util.Objects.requireNonNull(Objects.java:209)
at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:180)
at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
at java.base/java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1850)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at net.shibboleth.idp.plugin.authn.oidc.rp.impl.DefaultClaimSanitizationStrategy.apply(DefaultClaimSanitizationStrategy.java:64)
at net.shibboleth.idp.plugin.authn.oidc.rp.impl.DefaultClaimSanitizationStrategy.apply(DefaultClaimSanitizationStrategy.java:34)
at net.shibboleth.idp.plugin.authn.oidc.rp.impl.ProcessEndUserClaims.doExecute(ProcessEndUserClaims.java:274)