[jira] [Work logged] (KNOX-3145) Ensure that the CLIENT_ID presented with a CLIENT_SECRET is the owner of the secret

Sat, 03 May 2025 12:27:40 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3145?focusedWorklogId=968443&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-968443
 ]

ASF GitHub Bot logged work on KNOX-3145:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/May/25 19:26
            Start Date: 03/May/25 19:26
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request, #1039:
URL: https://github.com/apache/knox/pull/1039

   …he presented client_id
   
   (It is very **important** that you created an Apache Knox JIRA for this 
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
   
   ## What changes were proposed in this pull request?
   
   Currently, the support for client_id and client_secret treats the inclusion 
of the CLIENT_ID as a formality of the client credentials flow and since the 
actual client_id is resolvable from the client_secret, it is ignored.
   
   While there it may be arguable whether we need to enforce this, it seems a 
reasonable expectation that they should match. Let's close that gap.
   
   ## How was this patch tested?
   
   New unit tests added and all existing and new tests run.
   Manually tested.
   
   Please review [Knox Contributing 
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
 before opening a pull request.
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 968443)
    Time Spent: 20m  (was: 10m)

> Ensure that the CLIENT_ID presented with a CLIENT_SECRET is the owner of the 
> secret
> -----------------------------------------------------------------------------------
>
>                 Key: KNOX-3145
>                 URL: https://issues.apache.org/jira/browse/KNOX-3145
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.2.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Currently, the support for client_id and client_secret treats the inclusion 
> of the CLIENT_ID as a formality of the client credentials flow and since the 
> actual client_id is resolvable from the client_secret, it is ignored.
> While there it may be arguable whether we need to enforce this, it seems a 
> reasonable expectation that they should match. Let's close that gap.
> We may need to decide whether we want to make that configurable. Is there a 
> feature hidden in there somewhere?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to