ForgeRock Identity Platform
Does not apply to Identity Cloud

Shared secret cannot be null error when requesting OAuth2 access tokens in AM 6.0.x

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you receive an "Internal Server Error" when making a call to the OAuth2 access_token endpoint in AM, which is "caused by: java.lang.NullPointerException: Shared secret cannot be null".


The following response is received when the access_token endpoint is called:

{    "error_description": "Internal Server Error",     "error": "server_error"  }

The following error is shown in the message level OAuth2Provider debug log when this happens:

OAuth2Provider:10/08/2019 09:27:03:137 AM BST: Thread[default task-288,5,main]: TransactionId[c4b3b5d1-ed84-4be5-a5e7-143a700b341a-127615] ERROR: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request   at org.restlet.resource.ServerResource.doHandle(    at    at org.restlet.resource.ServerResource.doHandle(    at org.restlet.resource.ServerResource.doNegotiatedHandle(    at org.restlet.resource.ServerResource.doConditionalHandle(    at org.restlet.resource.ServerResource.handle(    at org.restlet.resource.Finder.handle(    at org.restlet.routing.Filter.doHandle(    at org.restlet.routing.Filter.handle(    ...    Caused by: java.lang.NullPointerException: Shared secret cannot be null.

Recent Changes



The Token Signing HMAC Shared Secret is either not defined for the OAuth2 Provider (null) or the value specified is not a base64 encoded key used by HS256, HS384 and HS512.


Changes were made in AM 6.5 to store this secret in a Secret Store instead, which is why later versions are not affected: What's New in AM 6.5. The corresponding secret ID is See Secret ID Mapping Defaults for further information.


This issue can be resolved by populating the Token Signing HMAC Shared Secret with a base64 encoded key used by HS256, HS384 and HS512. If it is already populated, you should try re-encoding the secret in case it has been altered.

  1. Base64 encode the secret, for example, you could use the DS base64 tool. For testing and pre-production environments, you can use the default value: l6QZJe4O4be65x8TU7F2ihonPxCgimk5ekIOL+L50Zc=
  2. Update Token Signing HMAC Shared Secret with the encoded key using either the AM admin UI, Amster or ssoadm:
    • AM admin UI: navigate to: Realms > [Realm Name] > Services > OAuth2 Provider > Advanced > Token Signing HMAC Shared Secret and enter a valid key.
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: OAuth2Provider
      • Property: tokenSigningHmacSharedSecret
    • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s OAuth2Provider -e [realmname] -u [adminID] -f [passwordfile] -a tokenSigningHmacSharedSecret=[key] replacing [realmname], [adminID], [passwordfile] and [key] with appropriate values.

See Also

Configuring Digital Signatures


Authentication and Logout

Related Training


Related Issue Tracker IDs

OPENAM-13414 (Upgrade to AM6 fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.