[
https://issues.apache.org/jira/browse/KNOX-3037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-3037:
--------------------------------
Description:
KNOX-3016 added the ability to support OAuth client credentials flow in Knox.
However, the current implementation expects those new parameters to be added as
query parameters. This approach can lead to a serious security issue.
In the scope of this item, we should update the existing implementation to
accept the grant type and client secret parameters in the request body only.
was:
KNOX-3016 added the ability to support OAuth client credentials flow in Knox.
However, the current implementation expects those new parameters to be added as
query parameters. This approach can lead to a serious security issue because it
means the client secret would be logged in gateway-audit.log.
In the scope of this item, we should update the existing implementation to
accept the grant type and client secret parameters in the request body only.
> Wrong usage of client secret should not be accepted
> ---------------------------------------------------
>
> Key: KNOX-3037
> URL: https://issues.apache.org/jira/browse/KNOX-3037
> Project: Apache Knox
> Issue Type: Bug
> Reporter: Sandor Molnar
> Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> KNOX-3016 added the ability to support OAuth client credentials flow in Knox.
> However, the current implementation expects those new parameters to be added
> as query parameters. This approach can lead to a serious security issue.
> In the scope of this item, we should update the existing implementation to
> accept the grant type and client secret parameters in the request body only.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
