Authenticator Callback - Cannot invoke "javax.servlet.http.HttpSession.getId()" because "httpSession" is null

1 update

Changes by Michael Schröder on 03/Sep/25 08:40

Description:

Used OpenID Connect Authenticator with Keycloak as OpenId Connect Provider.

In the Login process, there is an Internal Server Error (Root Cause: "Cannot invoke "javax.servlet.http.HttpSession.getId()" because "httpSession" is null"), when the user is first redirected to the /oidc/authenticator/callback endpoint coming from Keycloak. See screenshot.

If the user opens the same URL ([https://xwiki/oidc/authenticator/callback?state=llfn0OSHhkmF...&session_state=1a8fcdc3...&iss=https%3A%2F%2Fsso%2Frealms%2Ftest&code=d1e5e24e..)|https://xwiki/oidc/authenticator/callback?state=llfn0OSHhkmF...&session_state=1a8fcdc3...&iss=https%3A%2F%2Fsso%2Frealms%2Ftest&code=d1e5e24e..),] manually via Browser again[,|https://xwiki/oidc/authenticator/callback?state=llfn0OSHhkmF...&session_state=1a8fcdc3...&iss=https%3A%2F%2Fsso%2Frealms%2Ftest&code=d1e5e24e..),] the login is successful.

Tested with xWiki 7.44 and 7.6.0 (installed via [https://github . com/xwiki-contrib/xwiki-helm]).

1 comment

	Michael Schröder on 03/Sep/25 08:36

	I think, it is an issue with xwiki (core and/or the helm chart ) [https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HTrusteddomains] configurations and not the extension. I set the Kecloak domain in the configuration, but it seems to be ignored. The Browser log shows: "Cookie “JSESSIONID” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect." Setting the cookie configuration ([https://stackoverflow.com/questions/57505939/how-to-set-samesite-cookie-in-tomcats-cookie-processor]) to "lax" via the init script solved the problem. Many thanks for your support.

This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6)

If image attachments aren't displayed, see this article.