Skip to content

Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication #48744

Closed
bug
#48906
#48798
Closed
Input validation/ Unhandled NullPointerException on alg:none JWT in Bearer Authentication#48744
bug
#48906
#48798
Assignees
mabartos
Labels
area/authenticationIndicates an issue on Authentication areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.6.3release/26.7.0team/cloud-nativeteam/continuous-deliveryteam/core-authnteam/core-clientsteam/core-iamteam/core-protocolsteam/core-sharedteam/production-readinessteam/rh-iamteam/securityteam/ui
@marklovejoydynata

Description

@marklovejoydynata
marklovejoydynata
opened on May 6, 2026

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Sending a JWT with "alg": "none" to any Bearer-authenticated endpoint triggers an uncaught NullPointerException in Keycloak's JWT validation pipeline. The server returns HTTP 500 Internal Server Error instead of the correct HTTP 401 Unauthorized.

Using the JWT token {"alg":"none","typ":"JWT"} at endpoint /realms/master/protocol/openid-connect/userinfo triggers the response:

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store
Pragma: no-cache
content-length: 94
Content-Type: application/json
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none

{"error":"unknown_error","error_description":"For more on this error consult the server log."}

With the error log showing:

2026-05-06 09:29:58,058 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.crypto.SignatureProvider.verifier(String)" because the return value of "org.keycloak.models.KeycloakSession.getProvider(java.lang.Class, String)" is null
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:194)
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:128)
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint$quarkusrestinvoker$issueUserInfoGet_361b97a7d4023e6ab20a040be6491783be70b05a.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:190)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:677)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)

Version

26.6.0 (same things happens in nightly)

Regression

  • The issue is a regression

Expected behavior

Expect HTTP/1.1 401 Unauthorized response with no null pointer exception in the logs

Actual behavior

HTTP/1.1 500 Internal Server Error with stderr having
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.crypto.SignatureProvider.verifier(String)" because the return value of "org.keycloak.models.KeycloakSession.getProvider(java.lang.Class, String)" is null

How to Reproduce?

If running locally on port 8080
curl -si http://localhost:8080/realms/master/protocol/openid-connect/userinfo -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0." --include

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/authenticationIndicates an issue on Authentication areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.6.3release/26.7.0team/cloud-nativeteam/continuous-deliveryteam/core-authnteam/core-clientsteam/core-iamteam/core-protocolsteam/core-sharedteam/production-readinessteam/rh-iamteam/securityteam/ui

Type

bug

Fields

No fields configured for bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions