Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keyvault JCA's AccessTokenUtil does not urlencode its parameters when getting an access token #40616

Closed
3 tasks done
guillaumepichenot opened this issue Jun 13, 2024 · 2 comments · Fixed by #40697 or #40740
Closed
3 tasks done

Keyvault JCA's AccessTokenUtil does not urlencode its parameters when getting an access token #40616

guillaumepichenot opened this issue Jun 13, 2024 · 2 comments · Fixed by #40697 or #40740
Assignees
@rujche
Labels
azure-spring All azure-spring related issues bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Milestone
2024-07

Comments

@guillaumepichenot
Copy link

guillaumepichenot commented Jun 13, 2024
edited
Loading

Describe the bug
In our app, we get NullPointerException when first accessing a key through a com.azure.security.keyvault.jca.implementation.KeyVaultClient method.

We have all the reasons to believe our configuration is OK, as multiple other KeyVault-based elements in the stack work OK (e.g. KeyVault as property source, SecretClient instances...). The configuration / interaction mode with keyvault is client_id / client_secret based.

On top of it, the same code works on many environments (preproduction...) but the NPE occurs only in production, with the seemingly only relevant difference being the actual values client_id / client_secert.

Finally, it's pretty clear to me, having looked at it for a few hours that the issue is :
a) hidden by the fact that the HTTP interactions made by the library output nothing / no log / error when HTTP error occurs (40x, 50x, ...)
b) triggered while accessing the accessToken by tenant id / client id / client secret.
c) more excplicetly, because the client_secret is not URL-encoded, which triggers a (rightfull) signin failed error on https://login.microsoftonline.com's side : the secret is "wrong"

Exception or Stack Trace

Factory method 'myBeanMethod' 
  threw exception; nested exception is java.lang.NullPointerException: 
  Cannot invoke "com.azure.security.keyvault.jca.implementation.model.AccessToken.getAccessToken()" 
    because "this.accessToken" is null

Note : there is no stack trace for the HTTP-call that tries to retrieve the token but Azure Portal (Enterprise application sign-in logs) show a failed login attempt, in our case, with an Invalid client secret failure reason.

To Reproduce

  • Create an azure entreprise application with a client secret that requires escaping to conform to x-www-form-urlencoding (eg @ or [] come to mind
  • Instantiate a com.azure.security.keyvault.jca.implementation.KeyVaultClient using the valid clientid / secret / tenant ID / keyvault URL
  • Perform an operation (getKey, getCertificate)
  • NPE is thrown

Code Snippet

	private void azureJcaKeyVaultClient(AzureKeyVaultSecretProperties kvProperties) {
		String clientId = kvProperties.getCredential().getClientId();
		String clientSecret = kvProperties.getCredential().getClientSecret();
		String tenantId = kvProperties.getProfile().getTenantId();
		String endpoint = kvProperties.getEndpoint();

		var c = new KeyVaultClient(endpoint, tenantId, clientId, clientSecret);
                c.getKey("someKey");
	}

Expected behavior
Have a successfull login when the client secret (or any other authentication variable) require encoding to conform to the HTTP status

Screenshots
N/A

Setup (please complete the following information):

  • OS: Linux, MacOS
  • IDE: IntelliJ, deployed on Azure Linux ASP
  • Library/Libraries: com.azure:azure-security-keyvault-jca:2.8.1
  • Java version: 11, 17, 21
  • App Server/Environment: SpringBoot / Tomcat

Additional context
The bug is pretty clear when looking at current implementation :

azure-sdk-for-java/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/AccessTokenUtil.java

Lines 93 to 111 in dcbfa34

AccessToken result = null;
StringBuilder oauth2Url = new StringBuilder();
oauth2Url.append(aadAuthenticationUrl == null ? OAUTH2_TOKEN_BASE_URL : aadAuthenticationUrl)
.append(tenantId)
.append(OAUTH2_TOKEN_POSTFIX);
StringBuilder requestBody = new StringBuilder();
requestBody.append(GRANT_TYPE_FRAGMENT)
.append(CLIENT_ID_FRAGMENT).append(clientId)
.append(CLIENT_SECRET_FRAGMENT).append(clientSecret)
.append(RESOURCE_FRAGMENT).append(resource);
String body = HttpUtil
.post(oauth2Url.toString(), requestBody.toString(), "application/x-www-form-urlencoded");
if (body != null) {
result = (AccessToken) JsonConverterUtil.fromJson(body, AccessToken.class);
}
LOGGER.log(FINER, "Access token: {0}", result);

Raw string concatenation may or may not work considering the request's content type.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@github-actions github-actions bot added azure-spring All azure-spring related issues Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 13, 2024
@github-actions GitHub Actions
Copy link

@moarychan @Netyyyy @rujche @saragluna

@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@saragluna saragluna added this to the 2024-07 milestone Jun 14, 2024
@saragluna saragluna added bug This issue requires a change to an existing behavior in the product in order to be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 14, 2024
@rujche rujche moved this from Todo to In Progress in Spring Cloud Azure Jun 19, 2024
@rujche rujche mentioned this issue Jun 19, 2024
Merged
6 tasks
@github-project-automation github-project-automation bot moved this from In Progress to Done in Spring Cloud Azure Jun 20, 2024
@rujche rujche mentioned this issue Jun 21, 2024
Merged
6 tasks
@github-actions github-actions bot locked and limited conversation to collaborators Sep 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rujche rujche

Labels
azure-spring All azure-spring related issues bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Projects
Spring Cloud Azure
Status: Done
Milestone
2024-07
3 participants
@saragluna @guillaumepichenot @rujche