Re: [PR] KNOX-3312 - Client Credentials Flow with HTTP Basic needs Unwrapped S… [knox]

Tue, 05 May 2026 04:51:25 -0700 


smolnar82 commented on code in PR #1219:
URL: https://github.com/apache/knox/pull/1219#discussion_r3188158078


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -361,12 +361,15 @@ private Pair<TokenType, String> 
parseFromHTTPBasicCredentials(final String heade
       String passcode = values[1].isEmpty() ? null : values[1];
       if (TOKEN.equalsIgnoreCase(username) || 
PASSCODE.equalsIgnoreCase(username)) {
           parsed = Pair.of(TOKEN.equalsIgnoreCase(username) ? TokenType.JWT : 
TokenType.Passcode, passcode);
-      } else if (request != null && 
CLIENT_CREDENTIALS.equals(request.getParameter(GRANT_TYPE))) {
-          // Allow client_credentials flow where client_id/client_secret are 
provided via HTTP Basic
-          if (passcode != null) {
-            validateClientID(username, passcode);
-            parsed = Pair.of(TokenType.Passcode, passcode);
-          }
+      } else if (request != null) {
+          HttpServletRequest unwrappedRequest = 
ServletRequestUtils.unwrapHttpServletRequest(request);

Review Comment:
   What if we added a util method in ServletRequestUtils, like this:
   ```
       private String getRequestParam(String paramName) {
           String requestParamValue = request.getParameter(paramName);
           if (requestParamValue == null) {
               requestParamValue = 
ServletRequestUtils.unwrapHttpServletRequest(request).getParameter(paramName);
           }
           return requestParamValue;
       }
   ```
   Then the above change would look like:
   ```
   } else if (request != null && 
CLIENT_CREDENTIALS.equals(ServletRequestUtils.getRequestParam(GRANT_TYPE)))
   ```
   I did the same in my KnoxIDF branch, which I realized it should not be 
scoped to my [KnoxIDF 
TokenResource.](https://github.com/smolnar82/knox/blob/knox_idf_smolnar/gateway-service-knoxidf/src/main/java/org/apache/knox/gateway/service/knoxidf/TokenResource.java#L387C1-L393C6)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to