[jira] [Updated] (KNOX-3037) Wrong usage of client secret should not be accepted

Sandor Molnar (Jira) Thu, 09 May 2024 02:12:07 -0700


     [ 
https://issues.apache.org/jira/browse/KNOX-3037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sandor Molnar updated KNOX-3037:
--------------------------------
    Affects Version/s: 2.1.0
             Assignee: Sandor Molnar
               Status: Patch Available  (was: Open)

> Wrong usage of client secret should not be accepted
> ---------------------------------------------------
>
>                 Key: KNOX-3037
>                 URL: https://issues.apache.org/jira/browse/KNOX-3037
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> KNOX-3016 added the ability to support OAuth client credentials flow in Knox. 
> However, the current implementation expects those new parameters to be added 
> as query parameters. This approach can lead to a serious security issue.
> In the scope of this item, we should update the existing implementation to 
> accept the grant type and client secret parameters in the request body only.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (KNOX-3037) Wrong usage of client secret should not be accepted

Reply via email to