Solutions

Shared secret cannot be null error when requesting OAuth2 access tokens in AM 5.x and 6.0.0.x

Last updated Sep 13, 2019

The purpose of this article is to provide assistance if you receive an "Internal Server Error" when making a call to the OAuth2 access_token endpoint in AM, which is "caused by: java.lang.NullPointerException: Shared secret cannot be null".


Symptoms

The following response is received when the access_token endpoint is called:

{ 
   "error_description": "Internal Server Error", 
   "error": "server_error" 
}

The following error is shown in the message level OAuth2Provider debug log when this happens:

OAuth2Provider:10/08/2019 09:27:03:137 AM BST: Thread[default task-288,5,main]: TransactionId[c4b3b5d1-ed84-4be5-a5e7-143a700b341a-127615]
ERROR: Unhandled exception:
Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539)
   at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
   at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
   at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
   at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
   at org.restlet.resource.Finder.handle(Finder.java:236)
   at org.restlet.routing.Filter.doHandle(Filter.java:150)
   at org.restlet.routing.Filter.handle(Filter.java:197)
   ...
   Caused by: java.lang.NullPointerException: Shared secret cannot be null.

Recent Changes

N/A

Causes

The Token Signing HMAC Shared Secret is either not defined for the OAuth2 Provider (null) or the value specified is not a base64 encoded key used by HS256, HS384 and HS512.

Note

Changes were made in AM 6.5 to store this secret in a Secret Store instead, which is why later versions are not affected: Release Notes › What's New in AM 6.5. The corresponding secret ID is am.services.oauth2.jwt.authenticity.signing. See Setup and Maintenance Guide › Secret ID Mapping Defaults for further information.

Solution

This issue can be resolved by populating the Token Signing HMAC Shared Secret with a base64 encoded key used by HS256, HS384 and HS512. If it is already populated, you should try re-encoding the secret in case it has been altered.

  1. Base64 encode the secret, for example, you could use the DS base64 tool. For testing and pre-production environments, you can use the default value: l6QZJe4O4be65x8TU7F2ihonPxCgimk5ekIOL+L50Zc=
  2. Update Token Signing HMAC Shared Secret with the encoded key using either the console, Amster or ssoadm:
    • Console: navigate to: Realms > [Realm Name] > Services > OAuth2 Provider > Advanced > Token Signing HMAC Shared Secret and enter a valid key.
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: OAuth2Provider
      • Property: tokenSigningHmacSharedSecret
    • ssoadm: enter the following command:
      $ ./ssoadm set-realm-svc-attrs -s OAuth2Provider -e [realmname] -u [adminID] -f [passwordfile] -a tokenSigningHmacSharedSecret=[key]
      replacing [realmname], [adminID], [passwordfile] and [key] with appropriate values.

See Also

OAuth 2.0 Guide › Configuring Digital Signatures

OAuth 2.0 Guide › Advanced

OAuth 2.0 Guide › Authentication and Logout

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14306 (OAuth2 client secret - not all special characters require encoding)

OPENAM-13414 (Upgrade to AM6 fails if OAuth2 Provider service lacks tokenSigningHmacSharedSecret)

OPENAM-12080 (OAuth2 Stateless Session Signing Key lost during upgrade)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...