Skip to content

Fix NullPointerException bugs in JWT Authorization Grant validators#1467

Draft
Copilot wants to merge 5 commits intoISSUE-43971-IDJAGReceiverfrom
copilot/review-bugs-and-fixes
Draft

Fix NullPointerException bugs in JWT Authorization Grant validators#1467
Copilot wants to merge 5 commits intoISSUE-43971-IDJAGReceiverfrom
copilot/review-bugs-and-fixes

Conversation

Copy link

Copilot AI commented Feb 19, 2026
edited
Loading

Description

Code review of the ID-JAG JWT Authorization Grant implementation revealed 5 critical NPE bugs in validator initialization and claim access patterns.

Issues Fixed

IDJWTAuthorizationGrantValidator.java

  • getOtherClaims() accessed without null check → NPE when claims map missing
  • client_id claim accessed without null check → NPE when claim absent
  • Improved error messages to distinguish missing claims map vs missing claim

JWTAuthorizationGrantType.java

  • getIssuer() and getSubject() called before clientAssertionState initialization when using custom validators:

    // Bug: These methods dereference null clientAssertionState
event.detail(Details.IDENTITY_PROVIDER_ISSUER, authorizationGrantContext.getIssuer());
event.detail(Details.IDENTITY_PROVIDER_USER_ID, authorizationGrantContext.getSubject());

// Then initialization happens
authorizationGrantContext.setClientAssertionState(clientAssertionState);

    Moved event detail calls after state initialization.

  • Expiration comparison with nullable Long values → NPE:

    // Bug: getExp() returns Long, can be null
if (authorizationGrantContext.getJWT().getExp() < responseBuilder.getAccessToken().getExp())

// Fixed
Long jwtExp = authorizationGrantContext.getJWT().getExp();
Long accessTokenExp = responseBuilder.getAccessToken().getExp();
if (jwtExp != null && accessTokenExp != null && jwtExp < accessTokenExp)

Impact

Prevents NPEs in:

  • ID-JAG tokens missing client_id in OtherClaims
  • Custom validator initialization flow
  • Tokens without expiration claims

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • repo.gradle.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher clean compile -pl services -am -DskipTests (dns block)
  • repository.jboss.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher clean compile -pl services -am -DskipTests (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher test -pl tests/base -Dtest=IDJWTAuthorizationGrantTest -am (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/boot/plexus-classworlds-2.8.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.8/af622e91/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/keycloak/keycloak org.codehaus.plexus.classworlds.launcher.Launcher install -DskipTests -pl services -am (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Yutaka Obuchi and others added 2 commits February 6, 2026 00:46
Initial commit for ID-JAG receiver, which receives ID-JAG and send ba…
bfd1d78 
…ck access token working as as a part of token endpoint

Signed-off-by: Yutaka Obuchi <yutaka.obuchi.sd@hitachi.com>
Initial plan
f76cfc8
Copilot AI and others added 3 commits February 19, 2026 09:31
@tnorimat
Fix critical null pointer bugs in IDJWTAuthorizationGrantValidator
8685239 
- Add null check for getOtherClaims() map before accessing
- Add null check for client_id claim before validation
- Provide clear error messages for missing client_id claim

Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
@tnorimat
Improve error messages based on code review feedback
a55c58b 
- Distinguish between missing claims map and missing client_id claim
- More descriptive error message for missing client_id claim

Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
@tnorimat
Fix critical NullPointerException bugs in JWTAuthorizationGrantType
c9626ff 
- Move getIssuer() and getSubject() calls after clientAssertionState initialization
- Add null checks for JWT expiration comparison to prevent NPE
- Add comment explaining the initialization order requirement

Co-authored-by: tnorimat <25092005+tnorimat@users.noreply.github.com>
Copilot AI changed the title [WIP] Review and fix bugs in branch Fix NullPointerException bugs in JWT Authorization Grant validators Feb 19, 2026
Copilot AI requested a review from tnorimat February 19, 2026 09:42
@tnorimat
Copy link
Collaborator

tnorimat commented Feb 19, 2026

@bucchi Hello, I asked github copilot coding agent to review the branch and suggest codes to fix potential bugs if exist. It is the trial of using the agent, so you need not to follow the code suggestion.

@bucchi bucchi force-pushed the ISSUE-43971-IDJAGReceiver branch from 055b308 to 37a541e Compare March 2, 2026 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnorimat tnorimat Awaiting requested review from tnorimat

Assignees

@tnorimat tnorimat

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tnorimat