Authentication fails with Internal Server Error (500) after installing or upgrading to Agent 5.x

Symptoms

You receive an HTTP 500 response or the following message is shown when you attempt to access the resource being protected by the agent:

"server_error Internal Server Error"

The following error is shown in the OAuth2Provider debug log when this happens:

OAuth2Provider:05/05/2020 14:27:16:488 AM BST: Thread[https-jsse-nio-443-exec-4,5,main]: TransactionId[65513f3e-18f1-44c7-9a28-c5c90327f933-595237]
WARNING: An unexpected exception occurred while handling an OAuth2 request
Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539)
   at org.restlet.resource.ServerResource.get(ServerResource.java:742)
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617)
   at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
   at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
   at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
...
Caused by: java.lang.NullPointerException
   at org.forgerock.openam.oauth2.AgentClientRegistration.createIDTokenJwt(AgentClientRegistration.java:188)
   at org.forgerock.openidconnect.OpenIdConnectToken.createJwt(OpenIdConnectToken.java:335)
   at org.forgerock.openidconnect.OpenIdConnectToken.toMap(OpenIdConnectToken.java:304)

Recent Changes

Installed or upgraded to Agent 5.x.

Causes

The agent JWT creation fails because of the NPE (Null Pointer Exception) seen in the logs, which signifies an underlying issue with the keystore. Common keystore issues that cause this error are (but not limited to):

• The key is missing.
• The key alias name is incorrect (for example, you have not changed the 'test' key alias).
• The keypair has not been generated correctly.
• The keystore type is wrong.

Solution

This issue can be resolved by identifying what is wrong with the keystore and fixing it. If you are not using the default key alias (or it doesn't exist in the keystore you are using), begin by ensuring you follow the steps in one of the following guides to create new key aliases depending on which agent you are using:

• Web Agents User Guide › Configuring AM to Sign Authentication Information
• Java Agents User Guide › Configuring AM Servers to Communicate With Java Agents

If this does not resolve it, other resources that might help are:

• Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)
• OAuth 2.0 Guide › AM as the Authorization Server
• OAuth 2.0 Guide › AM as Client and Resource Server

See Also

redirect_uri_mismatch error occurs after upgrading to, or installing Web Agents 5.x

Redirect loop between AM and Agent 5.x after successful authentication

Apache Web Agent 5.x does not start after installing it on RHEL or CentOS configured with SELinux

Web Agents › User Guide › Default Login Redirection Mode

Java Agents › User Guide › Default Login Redirect Mode

Web Agents User Guide › Custom Login Redirection Mode

Java Agents › User Guide › Custom Login Redirect Mode

Related Training

N/A

Related Issue Tracker IDs

N/A