AM Next Gen httpClient Issue

nick.hunt · June 7, 2024, 3:07am

As part of a journey, I need to reach out to an outside provider to migrate passwords. There are a number of different endpoints based on customer types so need to build the request and execute it. I am using AM 7.4 / next gen script to run this but when using the httpClient, when I send / get I am getting a null exception on the get() for the response (see below code block).

`//this is the httpclient / getter
function sendRequestToKeycloak(uri, authSecret, jsonBody) {

sharedLib.logInfo(logger, "Sending http request to keycloak URL " + uri, config.nodeName);
var requestOptions = {
    method: "POST",
    headers: {
        "Content-Type": "application/json",
        "Authorization": authSecret
    },
    body: jsonBody
}

sharedLib.logInfo(logger, "Request Options: " + JSON.stringify(requestOptions), config.nodeName);

var response = httpClient.send(uri, requestOptions).get();

sharedLib.logInfo(logger, "Successfully received a response from the keycloak URL, returning the response now", config.nodeName);
if (response) {
    sharedLib.logInfo(logger, "We have a response object, checking the status", config.nodeName);
    sharedLib.logInfo(logger, "Status: " + response.status, config.nodeName);
} else {
    sharedLib.logInfo(logger, "Nothing in the response body so need to check this", config.nodeName);
}
return response;

}`

on the get() part of the block, it will throw a null exception in logs and stop processing / fail. Also, i am sniffing one of the endpoints and not even seeing AM touch the endpoint so is failing before it ever sends.

below is the request options string that gets dumped out so know that is working.

Request Options: {\"method\":\"POST\",\"headers\":{\"Content-Type\":\"application/json\",\"Authorization\":\"c2VydmljZWFjY291bnQ6WU85MFVwRnlaR1l0T3VjUGRNb2tqTGRBNmx4YUpyQnA=\"},\"body\":{\"grant_type\":\"password\",\"audience\":\"serviceaccount\",\"username\":\"kctest1\",\"password\":\"<removed>\"}}"

and getting the below exception:
Jun 6, 2024 @ 22:55:41.806 {"timestamp":"2024-06-07T02:55:41.806Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"Classname failed to match whitelist: 'java.lang.NullPointerException'","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.806 {"timestamp":"2024-06-07T02:55:41.806Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"Classname failed to match whitelist: 'org.mozilla.javascript.WrappedException'","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.806 {"timestamp":"2024-06-07T02:55:41.806Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:Exception running the keycloak login / password migration","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.806 {"timestamp":"2024-06-07T02:55:41.806Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:Exception: InternalError: null","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.806 {"timestamp":"2024-06-07T02:55:41.806Z","eventName":"AM-NODE-LOGIN-COMPLETED","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206","trackingIds":["74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23151"],"principal":["kctest1"],"entries":[{"info":{"nodeOutcome":"false","treeName":"LoginTesting","displayName":"KeyCloak Passthrough Login","nodeType":"ScriptedDecisionNode","nodeId":"3a7ac4da-6b59-4446-aa61-26466a7ff357","authLevel":"0"}}],"realm":"/","component":"Authentication","source":"audit","topic":"authentication","level":"INFO","_eventId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23212"} Jun 6, 2024 @ 22:55:41.806 {"timestamp":"2024-06-07T02:55:41.806Z","level":"WARN","thread":"http-nio-8081-exec-10","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.auth.trees.engine.AuthTreeExecutor","message":"Ignoring the new universal id as that is empty and the current universal id is already set id=109ae359-5777-4aeb-8593-7d2a65921503,ou=user,ou=am-config","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.805 {"timestamp":"2024-06-07T02:55:41.805Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:have a customer object, proceeding with getting the data / processing","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.805 {"timestamp":"2024-06-07T02:55:41.805Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"The class 'org.forgerock.openam.scripting.api.PrefixedScriptPropertyResolver' is not supported for scripting, and may be changed or removed in a future release","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.805 {"timestamp":"2024-06-07T02:55:41.805Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:We have valid customer object so can proceeed with the setup","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.805 {"timestamp":"2024-06-07T02:55:41.805Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:Sending http request to keycloak URL https://keycloak.hatsec.com/realms/hatsec3/protocol/openid-connect/token","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.805 {"timestamp":"2024-06-07T02:55:41.805Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:Request Options: {\"method\":\"POST\",\"headers\":{\"Content-Type\":\"application/json\",\"Authorization\":\"c2VydmljZWFjY291bnQ6WU85MFVwRnlaR1l0T3VjUGRNb2tqTGRBNmx4YUpyQnA=\"},\"body\":{\"grant_type\":\"password\",\"audience\":\"serviceaccount\",\"username\":\"kctest1\",\"password\":\"<removed>\"}}","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.804 {"timestamp":"2024-06-07T02:55:41.804Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"Class edu not found when checking if supported for scripting","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.804 {"timestamp":"2024-06-07T02:55:41.804Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"Class net not found when checking if supported for scripting","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.804 {"timestamp":"2024-06-07T02:55:41.804Z","level":"ERROR","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"scripts.AUTHENTICATION_TREE_DECISION_NODE.389a3082-244d-4ecb-9155-f07c3987e129.(journey-keyCloakPasswordValidation)","message":"KEYCLOAKLOGIN:Starting the main run of the keycloak login / passthrough authentication","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.803 {"timestamp":"2024-06-07T02:55:41.803Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"Class org not found when checking if supported for scripting","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.803 {"timestamp":"2024-06-07T02:55:41.803Z","level":"WARN","thread":"ScriptEvaluator-7","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter","message":"Class com not found when checking if supported for scripting","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.761 {"timestamp":"2024-06-07T02:55:41.760Z","level":"WARN","thread":"http-nio-8081-exec-10","mdc":{"transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"},"logger":"org.forgerock.openam.auth.trees.engine.AuthTreeExecutor","message":"Ignoring the new universal id as that is empty and the current universal id is already set id=109ae359-5777-4aeb-8593-7d2a65921503,ou=user,ou=am-config","context":"default","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206"} Jun 6, 2024 @ 22:55:41.760 {"timestamp":"2024-06-07T02:55:41.760Z","eventName":"AM-NODE-LOGIN-COMPLETED","transactionId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23206","trackingIds":["74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23151"],"principal":["kctest1"],"entries":[{"info":{"nodeOutcome":"true","treeName":"LoginTesting","displayName":"keycloak notice","nodeType":"MessageNode","nodeId":"b56de598-b9db-42c0-84f9-df741c70010b","authLevel":"0"}}],"realm":"/","component":"Authentication","source":"audit","topic":"authentication","level":"INFO","_eventId":"74472e22-7c7d-4150-afb6-fd51ca4f1fd5-23210"}

Anyone get this working / have a pointer on this one?

Thanks
Nick

mwtech · June 7, 2024, 6:36pm

Hi @nick.hunt - I can’t see anything that stands out to me. If I were troubleshooting this I’d look to add java.lang.NullPointerException and org.mozilla.javascript.WrappedException to the scripting whitelist and see if the specific details of the exceptions give any more insight.

The only thing that is popping into my mind here is whether or not you have actually selected Next Generation for the script engine. I think the httpClient behaves differently between legacy and next gen so that might explain the NPE, but I’m not certain about that.

nick.hunt · June 10, 2024, 12:52am

Yeah, I double checked the script to make sure was the next gen because I thought the same, but I am also using a shared library in this script so know is functioning in the next gen since those aren’t supported in the legacy engine.

Did add those to the scripting configuration and got the same errors.