[ 
https://issues.apache.org/jira/browse/KNOX-3037?focusedWorklogId=918492&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918492
 ]

ASF GitHub Bot logged work on KNOX-3037:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/May/24 07:34
            Start Date: 09/May/24 07:34
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on PR #906:
URL: https://github.com/apache/knox/pull/906#issuecomment-2102119538

   @lmccay - please review the new patchset.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 918492)
    Time Spent: 0.5h  (was: 20m)

> Exposed client secret in gateway-audit.log
> ------------------------------------------
>
>                 Key: KNOX-3037
>                 URL: https://issues.apache.org/jira/browse/KNOX-3037
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> KNOX-3016 added the ability to support OAuth client credentials flow in Knox. 
> However, the current implementation expects those new parameters to be added 
> as query parameters. This approach can lead to a serious security issue 
> because it means the client secret would be logged in gateway-audit.log.
> In the scope of this item, we should update the existing implementation to 
> accept the grant type and client secret parameters in the request body only.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to