[ https://issues.apache.org/jira/browse/KNOX-3037?focusedWorklogId=918492&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918492 ]
ASF GitHub Bot logged work on KNOX-3037: ---------------------------------------- Author: ASF GitHub Bot Created on: 09/May/24 07:34 Start Date: 09/May/24 07:34 Worklog Time Spent: 10m Work Description: smolnar82 commented on PR #906: URL: https://github.com/apache/knox/pull/906#issuecomment-2102119538 @lmccay - please review the new patchset. Issue Time Tracking ------------------- Worklog Id: (was: 918492) Time Spent: 0.5h (was: 20m) > Exposed client secret in gateway-audit.log > ------------------------------------------ > > Key: KNOX-3037 > URL: https://issues.apache.org/jira/browse/KNOX-3037 > Project: Apache Knox > Issue Type: Bug > Reporter: Sandor Molnar > Priority: Critical > Fix For: 2.1.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > KNOX-3016 added the ability to support OAuth client credentials flow in Knox. > However, the current implementation expects those new parameters to be added > as query parameters. This approach can lead to a serious security issue > because it means the client secret would be logged in gateway-audit.log. > In the scope of this item, we should update the existing implementation to > accept the grant type and client secret parameters in the request body only. -- This message was sent by Atlassian Jira (v8.20.10#820010)