[
https://issues.apache.org/jira/browse/KNOX-3308?focusedWorklogId=1016942&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1016942
]
ASF GitHub Bot logged work on KNOX-3308:
----------------------------------------
Author: ASF GitHub Bot
Created on: 22/Apr/26 23:50
Start Date: 22/Apr/26 23:50
Worklog Time Spent: 10m
Work Description: lmccay opened a new pull request, #1211:
URL: https://github.com/apache/knox/pull/1211
[KNOX-1234](https://issues.apache.org/jira/browse/KNOX-3308) - Token
Exchange Flow using wrong param name
## What changes were proposed in this pull request?
The Token Exchange flow param name is inconsistent with the core OAuth
specification and requires both a full urn as the name and a hyphen rather than
an underscrore: urn:ietf:params:oauth:grant-type:token-exchange
JWTFederationFilter is currently coded to expect a shortname with underscore
'token_exchange'.
In addition, UrlEncodedFormRequest wrapper has a brittle getParameter
implementation that hard codes the names of params that we know indicate that
the processing of the request body will be handled by us and there is not
danger in consuming the response out from under another handler.
Since this is in a generic path, I want to move the knowledge of that out to
the code that is handling the request processing rather than trying to keep
this list in sync with the consuming code. I'll add a ServletRequestUtils to
unwrap the servlet request so that we can get to the params ourselves within
those specific code blocks and otherwise the wrapper will no longer treat any
param names specially. This will also require the move of ServletRequestUtils
to the gateway-spi module.
## How was this patch tested?
Existing unit tests were corrected through the changes in the existing
constants.
All unit tests were run and passed.
## Integration Tests
none
Issue Time Tracking
-------------------
Worklog Id: (was: 1016942)
Remaining Estimate: 0h
Time Spent: 10m
> Token Exchange Flow using wrong param name
> ------------------------------------------
>
> Key: KNOX-3308
> URL: https://issues.apache.org/jira/browse/KNOX-3308
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 3.0.0
> Reporter: Philip Zampino
> Assignee: Larry McCay
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The Token Exchange flow param name is inconsistent with the core OAuth
> specification and requires both a full urn as the name and a hyphen rather
> than an underscrore: urn:ietf:params:oauth:grant-type:token-exchange
> JWTFederationFilter is currently coded to expect a shortname with underscore
> 'token_exchange'.
> In addition, UrlEncodedFormRequest wrapper has a brittle getParameter
> implementation that hard codes the names of params that we know indicate that
> the processing of the request body will be handled by us and there is not
> danger in consuming the response out from under another handler.
> Since this is in a generic path, I want to move the knowledge of that out to
> the code that is handling the request processing rather than trying to keep
> this list in sync with the consuming code. I'll add a ServletRequestUtils to
> unwrap the servlet request so that we can get to the params ourselves within
> those specific code blocks and otherwise the wrapper will no longer treat any
> param names specially. This will also require the move of ServletRequestUtils
> to the gateway-spi module.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
