[
https://issues.apache.org/jira/browse/KNOX-3145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18004058#comment-18004058
]
ASF subversion and git services commented on KNOX-3145:
-------------------------------------------------------
Commit dd4dc8ffefe39ea4de53c5a49720e8523cd0a515 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-generation-ui/multi-635efc449e
from Larry McCay
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=dd4dc8ffe ]
KNOX-3145 - Ensure Client Credentials flow client_secret belongs to t… (#1039)
* KNOX-3145 - Ensure Client Credentials flow client_secret belongs to the
presented client_id
> Ensure that the CLIENT_ID presented with a CLIENT_SECRET is the owner of the
> secret
> -----------------------------------------------------------------------------------
>
> Key: KNOX-3145
> URL: https://issues.apache.org/jira/browse/KNOX-3145
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.2.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently, the support for client_id and client_secret treats the inclusion
> of the CLIENT_ID as a formality of the client credentials flow and since the
> actual client_id is resolvable from the client_secret, it is ignored.
> While there it may be arguable whether we need to enforce this, it seems a
> reasonable expectation that they should match. Let's close that gap.
> We may need to decide whether we want to make that configurable. Is there a
> feature hidden in there somewhere?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
