Null Pointer Using Token Exchange in 26.0.5

srparker200 · November 6, 2024, 6:47pm

We have configured Keycloak to allow our Gateway to exchange OIDC JWT tokens issued by an external IDP for internal tokens with specific scopes and audiences targeting backend microservices.

I am seeing a Null pointer exception generated when upgrading to 26.0.5

Configuration Summary

IDP: Has a permission policy for token-exchange with an authorization scope of token-exchange, and includes Gateway as a client. The Issuer field for IDP matches the iss claim in the incoming tokens, and all standard OIDC endpoints are properly configured for IDP.
Gateway: Uses the same token-exchange policy configured on the IDP to facilitate exchanges for tokens issued by the IDP.
Backend: Each backend microservice client has its own token-exchange permission policy, also with an authorization scope of token-exchange, and includes Gateway as a client.

All authorization resources and policies are as provided out of the box with no customization.

Enabled Features: TOKEN_EXCHANGE and ADMIN_FINE_GRAINED_AUTHZ are enabled.

Purpose

This setup is designed to:

Ensure only Gateway can exchange tokens issued by the external IDP.
Allow each backend client to specify which other clients (including Gateway) can exchange tokens to obtain backend-specific tokens for them.

This configuration worked as expected in Keycloak versions 23 and 24.

Issue in Keycloak 26.0.5

In Keycloak 26.0.5, attempting a token exchange from IDP to Backend using the grant type "urn:ietf:params:oauth:grant-type:token-exchange" results in the following stack trace:

bash

Copy code

2024-11-06 12:33:55,415 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.IdentityProviderModel.getProviderId()" because "model" is null
    at org.keycloak.services.resources.IdentityBrokerService.lambda$getIdentityProviderFactory$4(IdentityBrokerService.java:1334)
    at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:196)
    at java.base/java.util.HashMap$ValueSpliterator.tryAdvance(HashMap.java:1809)
    at java.base/java.util.stream.Streams$ConcatSpliterator.tryAdvance(Streams.java:720)
    at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:147)

Environment Details

Java Version: OpenJDK 21.0.2
Keycloak Startup Command: kc.bat start-dev

Question

This configuration appears identical to the previously functional setup. Does anyone have insights into potential configuration changes or issues in Keycloak 26.0.5 that might be causing this NullPointerException?

Any guidance or suggestions would be greatly appreciated.

paulo_sousa14 · November 8, 2024, 11:26am

Hi,

I’m experiencing the exact same issue after upgrading to Keycloak 26.

With the same configurations I have, everything works fine in versions 23, 24, and 25.

Given this, I can’t understand the reason for the error. Following the token exchange usage guide, I can’t see any configuration I might be missing…

I would appreciate any suggestions or guidance.

Thanks to anyone who can help.

srparker200 · December 17, 2024, 3:23pm

Hi - please see NPE when no subject_issuer is used for token exchange · Issue #34869 · keycloak/keycloak · GitHub if not seen already - I think this looks like the issue

Topic		Replies	Views
NPE internal token-exchange in Keycloak 17 Securing applications	1	727	April 20, 2022
Getting NPE while trying to exchange token Getting advice	4	1006	August 11, 2020
NullPointerException Facebook token exchange Configuring the server authentication	0	585	January 26, 2021
Unable to exchange token from google identity provider access token to Keycloak token	0	229	July 10, 2024
Invalid_token error when exchanging google id_token for a set of keycloak tokens Getting advice authentication , oidc	2	3306	December 17, 2021