smolnar82 opened a new pull request, #906: URL: https://github.com/apache/knox/pull/906
## What changes were proposed in this pull request? As described in the [corresponding JIRA](https://issues.apache.org/jira/browse/KNOX-3037), Knox no longer accepts the `grant_type` and `client_secret` as query parameters. Instead, they should be passed in the request body. For reviewers: I'm not satisfied with the `WARN` message I added in case the client secret is passed as a query param. I'm hoping for a better sentence from someone :) ## How was this patch tested? Added JUnit tests and conducted manual testing: 1. Using the request body: ``` $ curl -ik -X GET -H "Content-Type: application/x-www-form-urlencoded" --data "grant_type=client_credentials" --data "client_id=$CLIENT_ID" --data-urlencode "client_secret=$CLIENT_SECRET" https://localhost:8443/gateway/tokenbased/oauth/v1/token HTTP/1.1 200 OK Date: Wed, 08 May 2024 11:19:06 GMT Content-Type: application/json Content-Length: 1061 {"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuYmFzZWRcL29hdXRoXC92MVwvandrcy5qc29uIiwia2lkIjoiQ2t3dkZFY1VBbkpUbGtyWWhjazk1RHdIYU5GeGkzdER4S2JxQ2VTWE8yOCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5iYXNlZFwvb2F1dGhcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJDa3d2RkVjVUFuSlRsa3JZaGNrOTVEd0hhTkZ4aTN0RHhLYnFDZVNYTzI4IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTAzNjgsIm1hbmFnZWQudG9rZW4iOiJ0cnVlIiwia25veC5pZCI6ImNlNzA2MDZlLTk1OWQtNDQ5NC1hOWFiLWU3OGEyY2IwYzQ4YyJ9.fVa9Uy2UwXzl-kTJcVCaSBpXpUbs9pK5GZyU3BjyZPkkqAruo-eGJIHnkP8TP5bbiGQh2eNjKiaIUd32apXt-164IcwU3QSg7f95pYCC6XCY8g5Lcsk3rFfs-o55oaV8Uo21CJ4N762taC2sC8xKUXDWaOxttcc2uIufy_VBebCR1S2itlCgGREqL-amxeUtKs3_UQ-7ZcBTxDLO_iC5T1tlFSqdQuvW0puWTsjc8iUQ19WgvDiMqOO2MBt9aE96fUNZN41h9Vy3Y6eNWuQVv_qptRgi_Ib8G76ktjMB_PGcft4M9FuUwLyofbAKWqVVsDKUlcWoBakJ5cfRjzpK3Q","refresh_token":"b8987378-b016-4a78-99d8-5b73fcf59449","issued_token_type":"urn:ietf:params:oauth:tok en-type:access_token","token_type":"Bearer","expires_in":10368000} ``` 2. Using query params (achieved by adding the `-G` option in the `curl` command: ``` $ curl -G -ik -X GET -H "Content-Type: application/x-www-form-urlencoded" --data "grant_type=client_credentials" --data "client_id=$CLIENT_ID" --data-urlencode "client_secret=$CLIENT_SECRET" https://localhost:8443/gateway/tokenbased/oauth/v1/token HTTP/1.1 401 Unauthorized Cache-Control: must-revalidate,no-cache,no-store Content-Type: text/html;charset=iso-8859-1 Content-Length: 429 <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 401 Unauthorized</title> </head> <body><h2>HTTP ERROR 401 Unauthorized</h2> <table> <tr><th>URI:</th><td>/gateway/tokenbased/oauth/v1/token</td></tr> <tr><th>STATUS:</th><td>401</td></tr> <tr><th>MESSAGE:</th><td>Unauthorized</td></tr> <tr><th>SERVLET:</th><td>tokenbased-knox-gateway-servlet</td></tr> </table> </body> </html> ``` Relevant gateway.log: ``` 2024-05-08 13:19:15,474 e63dfff7-f444-449a-9e11-69a742a89ba1 WARN federation.jwt (JWTFederationFilter.java:parseFromClientCredentialsFlow(276)) - Client secret passed as a query parameter and exposed in the logs. 2024-05-08 13:19:15,474 e63dfff7-f444-449a-9e11-69a742a89ba1 INFO federation.jwt (JWTFederationFilter.java:doFilter(223)) - Missing token: null ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
