[
https://issues.apache.org/jira/browse/KNOX-2266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17054069#comment-17054069
]
Kevin Risden commented on KNOX-2266:
------------------------------------
nice catch!
> Tokens Should Include a Unique Identifier
> -----------------------------------------
>
> Key: KNOX-2266
> URL: https://issues.apache.org/jira/browse/KNOX-2266
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Fix For: 1.4.0
>
>
> It has recently been discovered that the Knox Token service will issue
> duplicate tokens to clients making concurrent requests separated by
> milliseconds or less. This is due to the nimbus JWT library truncating
> expiration times to units of seconds.
> For many use cases, this is probably not an issue. However, as soon a support
> for token renewal and revocation is enabled, there is the potential for
> actions intended for one client's token to have unexpected effects on other
> client's tokens. This problem is potentially exacerbated in HA Knox
> deployments, whereby multiple Knox instances can receive simultaneous
> requests for tokens.
> These issued tokens must be unique.
> The inclusion of a private claim, the value of which is a UUID, would yield
> such unique tokens.
> An additional advantage of this is that the TokenStateService can use these
> UUIDs instead of the Base64-encoded tokens themselves as keys for the
> associated state. This will alleviate some limitations associated with the
> implementations of this service (e.g., Java keystore lower-cases aliases).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
