500 Error: /api/jwt/vend

support 0

I'm attempting to use the /api/jwt/vend endpoint and getting a 500 ERROR as a response. This seems very similar/identical to [this] previous report.

Here is the error from the logs:

2022-05-29 10:31:28.498 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: Cannot read field "keyId" because "this.request" is null
	at io.fusionauth.app.action.api.jwt.VendAction.validate(VendAction.java:53)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
	at org.primeframework.mvc.validation.DefaultValidationProcessor.validate(DefaultValidationProcessor.java:77)
	at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:46)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:81)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at io.fusionauth.app.primeframework.CORSFilter.doFilter(CORSFilter.java:262)
	at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:49)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:86)
	at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
	at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
	at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
	at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:367)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:639)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:881)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1647)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:833)

Request Attempts:

curl -vvv -X POST -H 'Authorization: ##api_key##' -d '{"keyId": "fafdc79b-d058-4e93-99d9-759e40b03711", "timeToLiveInSeconds":300, "claims":{"sub":"test","roles":["anonymous"]}}' 'https://##instance_url##/api/jwt/vend?client_id=##client_id##&client_secret=##client_secret##'

curl -vvv -X POST -H 'X-FusionAuth-TenantId: ##tenant_id##' -H 'Authorization: ##api_key##' -d '{"keyId": "fafdc79b-d058-4e93-99d9-759e40b03711", "timeToLiveInSeconds":300, "claims":{"sub":"test","roles":["anonymous"]}}' 'https://##instance_url##/api/jwt/vend?client_id=##client_id##&client_secret=##client_secret##'

curl -vvv -X POST -d '{"keyId": "fafdc79b-d058-4e93-99d9-759e40b03711", "timeToLiveInSeconds":300, "claims":{"sub":"test","roles":["anonymous"]}}' 'https://##url##/api/jwt/vend?client_id=##client_id##&client_secret=##client_secret##'

curl -vvv -X POST -H 'Authorization: ##api_key##' -d '{"keyId": "fafdc79b-d058-4e93-99d9-759e40b03711", "timeToLiveInSeconds":300, "claims":{"sub":"test","roles":["anonymous"]}}' 'https://##url##/api/jwt/vend'

Instance Details:
Version: 1.36.4
Latest version:
Nodes: 1
Runtime mode: Development
Host: Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1048-azure x86_64)
Reverse Proxy: nginx

dan

@support-0

Hmmm.

Do you see the same issues when you don't put the parameters on the request?

The vend API doesn't require them. It is designed to create arbitrary JWTs signed by FusionAuth managed keys, and there's need to tie such JWTs to an account. If you want the aud or applicationId claim to be set to an application client Id, you need those values in the body.

support 0

@dan no matter how I change the request (including no query string) if I remove the Authorization header it gives me a 401, otherwise i get the same 500 error.

dan

@support-0 Ah, I think you need to use -H 'Content-type: application/json' as well. Otherwise curl sends the post as form parameters, which doesn't work.

I'll file a bug about the 500 error, we shouldn't return that, though.

support 0

@dan ah! That worked. Thanks. Your timing is uncanny, I just pushed a fake JWT creator awaiting this fix. Switching back to FA for my anon users

support 0

@dan How do I mark this as [resolved]?

dan

@support-0 I think you have to mark it as a question and then mark it as an answered question.

dan

Bug filed here: https://github.com/FusionAuth/fusionauth-issues/issues/1740