[jira] [Work logged] (KNOX-3037) Wrong usage of client secret should not be accepted

Thu, 09 May 2024 14:30:37 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3037?focusedWorklogId=918616&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918616
 ]

ASF GitHub Bot logged work on KNOX-3037:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/May/24 21:29
            Start Date: 09/May/24 21:29
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on code in PR #906:
URL: https://github.com/apache/knox/pull/906#discussion_r1596003168


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -270,15 +278,41 @@ private Pair<TokenType, String> 
parseFromClientCredentialsFlow(ServletRequest re
         &grant_type=client_credentials
        */
 
-      String grantType = request.getParameter(GRANT_TYPE);
-      if (CLIENT_CREDENTIALS.equals(grantType)) {
-        // this is indeed a client credentials flow client_id and
-        // client_secret are expected now the client_id will be in
-        // the token as the token_id so we will get that later
-        token = request.getParameter(CLIENT_SECRET);
-        parsed = Pair.of(TokenType.Passcode, token);
+      if (request.getParameter(CLIENT_SECRET) != null) {

Review Comment:
   This is to disallow the secret in a query param? Does it matter that this 
method (getParameter(String)) also returns posted form param values in addition 
to query param values?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 918616)
    Time Spent: 50m  (was: 40m)

> Wrong usage of client secret should not be accepted
> ---------------------------------------------------
>
>                 Key: KNOX-3037
>                 URL: https://issues.apache.org/jira/browse/KNOX-3037
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> KNOX-3016 added the ability to support OAuth client credentials flow in Knox. 
> However, the current implementation expects those new parameters to be added 
> as query parameters. This approach can lead to a serious security issue.
> In the scope of this item, we should update the existing implementation to 
> accept the grant type and client secret parameters in the request body only.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to