-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
None
-
None
-
None
Summary
When "state" is no present in an OpenID authentication request, a 500 error appears
Environment
- Tested on Bitbucket DC configured with OpenID
Steps to Reproduce
- Send OpenID authentication request with "state" not present
Expected Results
Catch this type of exception and provide a better error message so that the cause of the issue is known.
Actual Results
The below exception is thrown in the Bitbucket application logs:
2020-05-15 13:40:41,470 ERROR \[http-nio-7990-exec-9] @SNOOPWx820x116x0 172.17.0.1,172.17.0.1 "GET /mvc/error500 HTTP/1.1" c.a.s.i.web.ErrorPageController There was an unhandled exception loading \[/plugins/servlet/oidc/callback] java.lang.NullPointerException: null at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.doGet(OidcConsumerServlet.java:102\) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24\) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24\) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24\) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24\) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24\) at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:75\) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33\) at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:79\) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42\) at com.atlassian.bitbucket.internal.ratelimit.servlet.filter.RateLimitFilter.doFilter(RateLimitFilter.java:75\) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:181\) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:85\) at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81\) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42\) at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:110\) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112\) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75\) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94\) at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67\) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42\) at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69\) at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109\) at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37\) at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33\) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33\) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42\) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90\) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73\) at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87\) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38\) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149\) at java.lang.Thread.run(Thread.java:748\) ... 235 frames trimmed
A 500 error is shown on the UI with no descriptive message of the actual cause.
Workaround
No workaround