[
https://issues.apache.org/jira/browse/KNOX-3031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-3031:
------------------------------
Description:
Noticed that use of CLIENT_ID and SECRET for OAuth flows with
knox.token.exp.server-managed not set to true results in a 200 response code
and no body when attempting to use token exchange flow with the KNOXTOKEN
service.
Note that the same is true for Passcode token based authentication which is
what is used by the OAuth client credentials support.
Have to change this to return a 401 since the client id cannot be verified
without the state store. See AbstractJWTFilter(line 436).
was:
Noticed that use of CLIENT_ID and SECRET for OAuth flows with
knox.token.exp.server-managed not set to true results in a 200 response code
and no body when attempting to use token exchange flow with the KNOXTOKEN
service.
Have to change this to return a 401 since the client id cannot be verified
without the state store. See AbstractJWTFilter(line 436).
> CLIENT_ID and CLIENT_SECRET without Token Managed set results in 200
> inappropriately
> ------------------------------------------------------------------------------------
>
> Key: KNOX-3031
> URL: https://issues.apache.org/jira/browse/KNOX-3031
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.1.0
>
>
> Noticed that use of CLIENT_ID and SECRET for OAuth flows with
> knox.token.exp.server-managed not set to true results in a 200 response code
> and no body when attempting to use token exchange flow with the KNOXTOKEN
> service.
> Note that the same is true for Passcode token based authentication which is
> what is used by the OAuth client credentials support.
> Have to change this to return a 401 since the client id cannot be verified
> without the state store. See AbstractJWTFilter(line 436).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
