[jira] [Work logged] (KNOX-3037) Exposed client secret in gateway-audit.log

Wed, 08 May 2024 06:25:49 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3037?focusedWorklogId=918314&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918314
 ]

ASF GitHub Bot logged work on KNOX-3037:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/May/24 13:24
            Start Date: 08/May/24 13:24
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #906:
URL: https://github.com/apache/knox/pull/906

   ## What changes were proposed in this pull request?
   
   As described in the [corresponding 
JIRA](https://issues.apache.org/jira/browse/KNOX-3037), Knox no longer accepts 
the `grant_type` and `client_secret` as query parameters. Instead, they should 
be passed in the request body.
   
   For reviewers: I'm not satisfied with the `WARN` message I added in case the 
client secret is passed as a query param.  I'm hoping for a better sentence 
from someone :)
   
   ## How was this patch tested?
   
   Added JUnit tests and conducted manual testing:
   
   1. Using the request body:
   ```
   $ curl -ik -X GET -H "Content-Type: application/x-www-form-urlencoded" 
--data "grant_type=client_credentials" --data "client_id=$CLIENT_ID" 
--data-urlencode "client_secret=$CLIENT_SECRET" 
https://localhost:8443/gateway/tokenbased/oauth/v1/token
   HTTP/1.1 200 OK
   Date: Wed, 08 May 2024 11:19:06 GMT
   Content-Type: application/json
   Content-Length: 1061
   
   
{"access_token":"eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3Rva2VuYmFzZWRcL29hdXRoXC92MVwvandrcy5qc29uIiwia2lkIjoiQ2t3dkZFY1VBbkpUbGtyWWhjazk1RHdIYU5GeGkzdER4S2JxQ2VTWE8yOCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvdG9rZW5iYXNlZFwvb2F1dGhcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJDa3d2RkVjVUFuSlRsa3JZaGNrOTVEd0hhTkZ4aTN0RHhLYnFDZVNYTzI4IiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTAzNjgsIm1hbmFnZWQudG9rZW4iOiJ0cnVlIiwia25veC5pZCI6ImNlNzA2MDZlLTk1OWQtNDQ5NC1hOWFiLWU3OGEyY2IwYzQ4YyJ9.fVa9Uy2UwXzl-kTJcVCaSBpXpUbs9pK5GZyU3BjyZPkkqAruo-eGJIHnkP8TP5bbiGQh2eNjKiaIUd32apXt-164IcwU3QSg7f95pYCC6XCY8g5Lcsk3rFfs-o55oaV8Uo21CJ4N762taC2sC8xKUXDWaOxttcc2uIufy_VBebCR1S2itlCgGREqL-amxeUtKs3_UQ-7ZcBTxDLO_iC5T1tlFSqdQuvW0puWTsjc8iUQ19WgvDiMqOO2MBt9aE96fUNZN41h9Vy3Y6eNWuQVv_qptRgi_Ib8G76ktjMB_PGcft4M9FuUwLyofbAKWqVVsDKUlcWoBakJ5cfRjzpK3Q","refresh_token":"b8987378-b016-4a78-99d8-5b73fcf59449","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer","expires_in":10368000}
   ```
   
   2. Using query params (achieved by adding the `-G` option in the `curl` 
command:
   ```
   $ curl -G -ik -X GET -H "Content-Type: application/x-www-form-urlencoded" 
--data "grant_type=client_credentials" --data "client_id=$CLIENT_ID" 
--data-urlencode "client_secret=$CLIENT_SECRET" 
https://localhost:8443/gateway/tokenbased/oauth/v1/token
   HTTP/1.1 401 Unauthorized
   Cache-Control: must-revalidate,no-cache,no-store
   Content-Type: text/html;charset=iso-8859-1
   Content-Length: 429
   
   <html>
   <head>
   <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
   <title>Error 401 Unauthorized</title>
   </head>
   <body><h2>HTTP ERROR 401 Unauthorized</h2>
   <table>
   <tr><th>URI:</th><td>/gateway/tokenbased/oauth/v1/token</td></tr>
   <tr><th>STATUS:</th><td>401</td></tr>
   <tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
   <tr><th>SERVLET:</th><td>tokenbased-knox-gateway-servlet</td></tr>
   </table>
   
   </body>
   </html>
   ```
   Relevant gateway.log:
   ```
   2024-05-08 13:19:15,474 e63dfff7-f444-449a-9e11-69a742a89ba1 WARN  
federation.jwt (JWTFederationFilter.java:parseFromClientCredentialsFlow(276)) - 
Client secret passed as a query parameter and exposed in the logs.
   2024-05-08 13:19:15,474 e63dfff7-f444-449a-9e11-69a742a89ba1 INFO  
federation.jwt (JWTFederationFilter.java:doFilter(223)) - Missing token: null
   ```




Issue Time Tracking
-------------------

            Worklog Id:     (was: 918314)
    Remaining Estimate: 0h
            Time Spent: 10m

> Exposed client secret in gateway-audit.log
> ------------------------------------------
>
>                 Key: KNOX-3037
>                 URL: https://issues.apache.org/jira/browse/KNOX-3037
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> KNOX-3016 added the ability to support OAuth client credentials flow in Knox. 
> However, the current implementation expects those new parameters to be added 
> as query parameters. This approach can lead to a serious security issue 
> because it means the client secret would be logged in gateway-audit.log.
> In the scope of this item, we should update the existing implementation to 
> accept the grant type and client secret parameters in the request body only.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to