Environment
| Component |
Version |
| WSO2 API Manager |
4.6.0 |
| WSO2 Identity Server |
6.1.0 (offset = 1) |
Description
When using the token exchange grant type (urn:ietf:params:oauth:grant-type:token-exchange) with a third-party key manager (IS 6.1.0), APIM throws a NullPointerException in SystemScopesIssuer because the IDP is looked up by JWT issuer value using getIdPByName(), but the auto-generated IDP name created during key manager setup does not match the JWT issuer.
Error
ERROR - SystemScopesIssuer No Registered IDP found for the JWT with issuer name: https://<IDP_ISSUER>/oauth2/token
java.lang.NullPointerException: Cannot invoke "...IdentityProvider.getClaimConfig()" because "ajc$this.identityProvider" is null
at SystemScopesIssuer.java:608
Steps to Reproduce
- Set up IS 6.1.0 (offset=1) and APIM 4.6.0. Configure a third-party key manager in APIM Admin Portal pointing to IS.
- Note that the auto-created IDP name in APIM Management Console does not match the JWT issuer value.
- Create a Dev Portal application and enable the
token-exchange grant type.
- Obtain a token from IS via
client_credentials, then use it in a token exchange request against APIM:
curl 'https://localhost:9443/oauth2/token' \
-H 'Authorization: Basic <base64>' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:jwt' \
--data-urlencode 'subject_token=<IS_access_token>'
- Observe the NPE in logs.
Environment
Description
When using the token exchange grant type (
urn:ietf:params:oauth:grant-type:token-exchange) with a third-party key manager (IS 6.1.0), APIM throws aNullPointerExceptioninSystemScopesIssuerbecause the IDP is looked up by JWT issuer value usinggetIdPByName(), but the auto-generated IDP name created during key manager setup does not match the JWT issuer.Error
Steps to Reproduce
token-exchangegrant type.client_credentials, then use it in a token exchange request against APIM: