NullPointerException in AbstractClientCredentialsClient.expirationDate due to null value in java.util.Map

[RicardoRB]

Expected Behavior

The method should handle null values gracefully, either by returning a default value or throwing a more descriptive exception.

Actual Behaviour

When attempting to validate the expiration of an OAuth2 token using the AbstractClientCredentialsClient, the application encounters a NullPointerException. This occurs because the OAuth interceptor does not properly handle a null value within the java.util.Map that is used during the token parsing or validation process. As a result, the application crashes unexpectedly, making it impossible to retrieve or validate tokens in certain scenarios.

Steps To Reproduce

1. Configure an OAuth2 client using Micronaut's security features.
2. Intercept a token request using the AbstractClientCredentialsClient.
3. The application throws a NullPointerException during the token expiration validation.

Error Message

NullPointerException: Cannot invoke "java.util.Map.get(Object)" because "o" is null

Stack Trace

com.nimbusds.jose.util.JSONObjectUtils in getGeneric at line 170
com.nimbusds.jose.util.JSONObjectUtils in getString at line 319
com.nimbusds.jose.Header in parseAlgorithm at line 368
com.nimbusds.jwt.JWTParser in parse at line 74
io.micronaut.security.oauth2.client.clientcredentials.AbstractClientCredentialsClient in expirationDate at line 139
io.micronaut.security.oauth2.client.clientcredentials.AbstractClientCredentialsClient in isExpired at line 111
io.micronaut.security.oauth2.client.clientcredentials.AbstractClientCredentialsClient in lambda$requestToken$2 at line 87
reactor.core.publisher.MonoFlatMap$FlatMapMain in onNext at line 132
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onNext at line 57
reactor.core.publisher.MonoNext$NextSubscriber in onNext at line 82
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onNext at line 57
reactor.core.publisher.FluxMaterialize$MaterializeSubscriber in onNext at line 114
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onNext at line 57
reactor.core.publisher.FluxReplay$UnboundedReplayBuffer in replayNormal at line 618
reactor.core.publisher.FluxReplay$UnboundedReplayBuffer in replay at line 709
reactor.core.publisher.FluxReplay$ReplayInner in request at line 1711
reactor.core.publisher.FluxMaterialize$MaterializeSubscriber in request at line 148
reactor.core.publisher.MonoNext$NextSubscriber in request at line 108
reactor.core.publisher.MonoFlatMap$FlatMapMain in request at line 194
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in request at line 152
reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber in request at line 171
reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain in onSubscribe at line 147
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber in onSubscribe at line 96
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in onSubscribe at line 122
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in onSubscribe at line 122
reactor.core.publisher.MonoFlatMap$FlatMapMain in onSubscribe at line 117
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.MonoNext$NextSubscriber in onSubscribe at line 70
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxMaterialize$MaterializeSubscriber in onSubscribe at line 103
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxReplay in subscribeOrReturn at line 1181
reactor.core.publisher.InternalConnectableFluxOperator in subscribe at line 55
reactor.core.publisher.FluxAutoConnectFuseable in subscribe at line 61
reactor.core.publisher.Flux in subscribe at line 8660
reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain in subscribeInner at line 218
reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain in onNext at line 164
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onNext at line 57
reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber in onNext at line 129
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onNext at line 57
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in onNext at line 137
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onNext at line 57
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in onNext at line 137
reactor.core.publisher.MonoCallable$MonoCallableSubscription in request at line 156
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in request at line 152
reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber in request at line 171
reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain in onSubscribe at line 147
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber in onSubscribe at line 96
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in onSubscribe at line 122
io.micronaut.reactive.reactor.instrument.ReactorSubscriber in onSubscribe at line 50
reactor.core.publisher.FluxHide$SuppressFuseableSubscriber in onSubscribe at line 122
reactor.core.publisher.MonoCallable in subscribe at line 48
reactor.core.publisher.Flux in subscribe at line 8660
reactor.core.publisher.Flux in blockFirst at line 2700
io.micronaut.http.client.netty.DefaultHttpClient$1 in exchange at line 499
io.micronaut.http.client.netty.DefaultHttpClient$1 in retrieve at line 506
io.micronaut.http.client.interceptor.HttpClientIntroductionAdvice in lambda$intercept$5 at line 411
io.micronaut.http.client.interceptor.HttpClientIntroductionAdvice in handleBlockingCall at line 510
io.micronaut.http.client.interceptor.HttpClientIntroductionAdvice in intercept at line 410
io.micronaut.aop.chain.MethodInterceptorChain in proceed at line 137
io.micronaut.retry.intercept.RecoveryInterceptor in intercept at line 98
io.micronaut.aop.chain.MethodInterceptorChain in proceed at line 137

Environment Information

JVM Version: 17.0.8.1

Example Application

No response

Version

micronaut | 3.8.5
micronaut-aop | 3.10.4
micronaut-buffer-netty | 3.10.4
micronaut-cache-core | 3.5.0
micronaut-context | 3.10.4
micronaut-core | 3.10.4
micronaut-core-reactive | 3.10.4
micronaut-data-hibernate-jpa | 3.10.0
micronaut-data-jdbc | 3.10.0
micronaut-data-model | 3.10.0
micronaut-data-runtime | 3.10.0
micronaut-data-tx | 3.10.0
micronaut-data-tx-hibernate | 3.10.0
micronaut-flyway | 5.5.0
micronaut-hibernate-jpa | 4.8.1
micronaut-http | 3.10.4
micronaut-http-client | 3.10.4
micronaut-http-client-core | 3.10.4
micronaut-http-netty | 3.10.4
micronaut-http-server | 3.10.4
micronaut-http-server-netty | 3.10.4
micronaut-http-validation | 3.10.4
micronaut-inject | 3.10.4
micronaut-jackson-core | 3.10.4
micronaut-jackson-databind | 3.10.4
micronaut-jdbc | 4.8.1
micronaut-jdbc-hikari | 4.8.1
micronaut-json-core | 3.10.4
micronaut-kafka | 4.5.5
micronaut-kotlin-runtime | 3.2.2
micronaut-management | 3.10.4
micronaut-messaging | 3.10.4
micronaut-micrometer-core | 4.8.3
micronaut-micrometer-registry-prometheus | 4.8.3
micronaut-picocli | 4.4.0
micronaut-redis-lettuce | 5.4.0
micronaut-router | 3.10.4
micronaut-runtime | 3.10.4
micronaut-rxjava3 | 2.4.1
micronaut-rxjava3-http-client | 2.4.1
micronaut-security | 3.11.1
micronaut-security-annotations | 3.11.1
micronaut-security-jwt | 3.11.1
micronaut-security-oauth2 | 3.11.1
micronaut-tracing | 3.2.7
micronaut-validation | 3.10.4
micronaut-websocket | 3.10.4

[sdelamo]

@RicardoRB what kind of token you are getting a Null pointer exception with? Can you provide an example of an actual token which crashes for you? Moreover, what version of Micronaut Security are you working with?

[RicardoRB]

@RicardoRB what kind of token you are getting a Null pointer exception with? Can you provide an example of an actual token which crashes for you? Moreover, what version of Micronaut Security are you working with?

I don't have an example of a toke, sorry for that. The version for security is:

micronaut | 3.8.5
micronaut-aop | 3.10.4
micronaut-buffer-netty | 3.10.4
micronaut-cache-core | 3.5.0
micronaut-context | 3.10.4
micronaut-core | 3.10.4
micronaut-core-reactive | 3.10.4
micronaut-data-hibernate-jpa | 3.10.0
micronaut-data-jdbc | 3.10.0
micronaut-data-model | 3.10.0
micronaut-data-runtime | 3.10.0
micronaut-data-tx | 3.10.0
micronaut-data-tx-hibernate | 3.10.0
micronaut-flyway | 5.5.0
micronaut-hibernate-jpa | 4.8.1
micronaut-http | 3.10.4
micronaut-http-client | 3.10.4
micronaut-http-client-core | 3.10.4
micronaut-http-netty | 3.10.4
micronaut-http-server | 3.10.4
micronaut-http-server-netty | 3.10.4
micronaut-http-validation | 3.10.4
micronaut-inject | 3.10.4
micronaut-jackson-core | 3.10.4
micronaut-jackson-databind | 3.10.4
micronaut-jdbc | 4.8.1
micronaut-jdbc-hikari | 4.8.1
micronaut-json-core | 3.10.4
micronaut-kafka | 4.5.5
micronaut-kotlin-runtime | 3.2.2
micronaut-management | 3.10.4
micronaut-messaging | 3.10.4
micronaut-micrometer-core | 4.8.3
micronaut-micrometer-registry-prometheus | 4.8.3
micronaut-picocli | 4.4.0
micronaut-redis-lettuce | 5.4.0
micronaut-router | 3.10.4
micronaut-runtime | 3.10.4
micronaut-rxjava3 | 2.4.1
micronaut-rxjava3-http-client | 2.4.1
micronaut-security | 3.11.1
micronaut-security-annotations | 3.11.1
micronaut-security-jwt | 3.11.1
micronaut-security-oauth2 | 3.11.1
micronaut-tracing | 3.2.7
micronaut-validation | 3.10.4
micronaut-websocket | 3.10.4

[sdelamo]

can you reproduce that it is still an issue in Micronaut 4 ?