smolnar82 opened a new pull request, #1208: URL: https://github.com/apache/knox/pull/1208
[KNOX-3303](https://issues.apache.org/jira/browse/KNOX-3303) - Support configurable 'sub' claim reconciliation in Client Credentials flow ## What changes were proposed in this pull request? This PR enhances the OAuth2-style Client Credentials flow in Apache Knox by introducing a configurable way to reconcile the sub (subject) claim in issued access tokens. Key features: 1. Topology Configuration: Added a new `thirdPartyApp` parameter (defaults to `true`) to the `CLIENTID` service. 2. Metadata Persistence: The `thirdPartyApp` flag is now stored in the Token State Service metadata when client credentials are generated. 3. Subject Reconciliation: * If `thirdPartyApp=true` (default): The `sub` claim remains the technical `client_id`. * If `thirdPartyApp=false`: The `sub` claim is set to the `userName` of the credentials owner. 4. Client ID Claim: When `thirdPartyApp=false`, a new claim named client_id is added to the JWT payload, referring to the original technical identity (the token ID). This is in line with the claims listed in [RFC 9068](https://datatracker.ietf.org/doc/html/rfc9068#section-2.2). ## How was this patch tested? Extended the automated test suite to verify the new logic: 1. TokenMetadataTest: Verified that thirdPartyApp metadata defaults to true and correctly parses explicit boolean values. 2. TokenServiceResourceTest: Confirmed that ClientCredentialsResource correctly reads the topology configuration and persists it into the database. 3. JWTFederationFilterTest: Validated that AbstractJWTFilter correctly reconciles the Subject principal based on the metadata flag and adds the TokenIdPrincipal when required. 4. JWTTokenTest: Verified that the client_id claim is correctly included in the issued JWT when a technical identity is present. Commands run: ``` mvn test -Dtest=TokenMetadataTest -pl gateway-spi mvn test -Dtest=TokenServiceResourceTest -pl gateway-service-knoxtoken mvn test -Dtest=JWTFederationFilterTest -pl gateway-provider-security-jwt mvn test -Dtest=JWTTokenTest -pl gateway-spi ``` **TODO**: E2E testing using a local Knox instance ## Integration Tests N/A - Sufficient unit and mock-based integration tests were added to cover the logic within the affected services and filters. ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
