[
https://issues.apache.org/jira/browse/KNOX-3037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17845128#comment-17845128
]
ASF subversion and git services commented on KNOX-3037:
-------------------------------------------------------
Commit a3a33aa997241a824ec457bd8e45132fdac92bb6 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=a3a33aa99 ]
KNOX-3037 - Client credentials flow accepts essential parameters in the request
body only (#906)
> Wrong usage of client secret should not be accepted
> ---------------------------------------------------
>
> Key: KNOX-3037
> URL: https://issues.apache.org/jira/browse/KNOX-3037
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> KNOX-3016 added the ability to support OAuth client credentials flow in Knox.
> However, the current implementation expects those new parameters to be added
> as query parameters. This approach can lead to a serious security issue.
> In the scope of this item, we should update the existing implementation to
> accept the grant type and client secret parameters in the request body only.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
