pzampino commented on code in PR #906:
URL: https://github.com/apache/knox/pull/906#discussion_r1596003168
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -270,15 +278,41 @@ private Pair<TokenType, String>
parseFromClientCredentialsFlow(ServletRequest re
&grant_type=client_credentials
*/
- String grantType = request.getParameter(GRANT_TYPE);
- if (CLIENT_CREDENTIALS.equals(grantType)) {
- // this is indeed a client credentials flow client_id and
- // client_secret are expected now the client_id will be in
- // the token as the token_id so we will get that later
- token = request.getParameter(CLIENT_SECRET);
- parsed = Pair.of(TokenType.Passcode, token);
+ if (request.getParameter(CLIENT_SECRET) != null) {
Review Comment:
This is to disallow the secret in a query param? Does it matter that this
method (getParameter(String)) also returns posted form param values in addition
to query param values?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
