Missing null-check in `IdentityOauthEventHandler` leads to 500 error when removing a scope-less application authorised API resource #21395

vfraga · 2024-10-17T17:59:42Z

Describe the issue:
Can't delete a scope-less application authorized API resource in the Console application due to a 500 error.

How to reproduce:

Setup and start a Identity Server 7.0.0 instance.
Access the Console application, and create a Standard-Based Application.
Go to API Authorization, click 'Authorize an API Resource', select any option for the 'API Resource' field, leave 'Authorized Scopes' blank, and click the 'Finish' button.
Try to delete the authorized API resource by clicking the trash icon, ticking on the 'Please confirm your action.' checkbox, and clicking the 'Confirm' button.
Observe the error message in the bottom-right corner, and the stacktrace in the carbon logs.

Expected behavior:
Users should be able to remove an Authorized API Resource definition even if it doesn't have any defined scope. Either:

IdentityOauthEventHandler::handleEvent does a null-check before calling AuthorizedAPI::getScopes at [1];
Change AuthorizedAPI::getScopes [2] to return an empty list if scopes is null;
Add an else branch in - AuthorizedAPIDAOImpl::getAuthorizedAPI [3] to set an empty list on the AuthorizedAPI#scopes field.

Environment information:

The text was updated successfully, but these errors were encountered:

HasiniSama · 2024-11-05T10:44:12Z

The Master was already fixed by the following PRs:

sandushi self-assigned this Nov 4, 2024

HasiniSama assigned HasiniSama and unassigned sandushi Nov 5, 2024

HasiniSama closed this as completed Nov 5, 2024

nilasini added this to the 7.1.0-m5 milestone Nov 7, 2024

Provide feedback