Description
When a refresh_token grant request fails due to any validation or processing error, and DEBUG logging is enabled for the org.wso2.carbon.identity.oauth2 component, the server throws a NullPointerException while attempting to sanitize the error message.
As a result, instead of returning the expected OAuth2 error response with HTTP 400 and invalid_grant, the server returns an HTTP 500 response with server_error.
Error Stack Trace
java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.toString()" because "s" is null
at java.base/java.lang.String.contains(String.java:2981)
at org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils.getSanitizedErrorMessage(LoggerUtils.java:263)
at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.validateGrantAndIssueToken(AccessTokenIssuer.java:321)
Steps to Reproduce
Enable DEBUG logging for the org.wso2.carbon.identity.oauth2 package in the log4j2.properties file.
Restart the server and generate an access token using the Password Grant flow. Make sure a refresh token is also issued.
Invalidate the persisted token state (or create a scenario where the refresh token validation fails and the persisted access token data cannot be found).
Invoke the token endpoint using the Refresh Token Grant with the previously issued refresh token.
Check the server logs and observe the NullPointerException originating from LoggerUtils.getSanitizedErrorMessage().
Version
4.7.0
Environment Details (with versions)
No response
Description
When a refresh_token grant request fails due to any validation or processing error, and DEBUG logging is enabled for the org.wso2.carbon.identity.oauth2 component, the server throws a NullPointerException while attempting to sanitize the error message.
As a result, instead of returning the expected OAuth2 error response with HTTP 400 and invalid_grant, the server returns an HTTP 500 response with server_error.
Steps to Reproduce
Enable DEBUG logging for the org.wso2.carbon.identity.oauth2 package in the log4j2.properties file.
Restart the server and generate an access token using the Password Grant flow. Make sure a refresh token is also issued.
Invalidate the persisted token state (or create a scenario where the refresh token validation fails and the persisted access token data cannot be found).
Invoke the token endpoint using the Refresh Token Grant with the previously issued refresh token.
Check the server logs and observe the NullPointerException originating from LoggerUtils.getSanitizedErrorMessage().
Version
4.7.0
Environment Details (with versions)
No response