[jira] [Work logged] (KNOX-3312) Client Credentials Flow with HTTP Basic needs Unwrapped Servlet Request

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3312?focusedWorklogId=1018771&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1018771
 ]

ASF GitHub Bot logged work on KNOX-3312:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 05/May/26 11:51
            Start Date: 05/May/26 11:51
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #1219:
URL: https://github.com/apache/knox/pull/1219#discussion_r3188158078


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -361,12 +361,15 @@ private Pair<TokenType, String> 
parseFromHTTPBasicCredentials(final String heade
       String passcode = values[1].isEmpty() ? null : values[1];
       if (TOKEN.equalsIgnoreCase(username) || 
PASSCODE.equalsIgnoreCase(username)) {
           parsed = Pair.of(TOKEN.equalsIgnoreCase(username) ? TokenType.JWT : 
TokenType.Passcode, passcode);
-      } else if (request != null && 
CLIENT_CREDENTIALS.equals(request.getParameter(GRANT_TYPE))) {
-          // Allow client_credentials flow where client_id/client_secret are 
provided via HTTP Basic
-          if (passcode != null) {
-            validateClientID(username, passcode);
-            parsed = Pair.of(TokenType.Passcode, passcode);
-          }
+      } else if (request != null) {
+          HttpServletRequest unwrappedRequest = 
ServletRequestUtils.unwrapHttpServletRequest(request);

Review Comment:
   What if we added a util method in ServletRequestUtils, like this:
   ```
       public static String getRequestParam(final ServletRequest request, final 
String paramName) {
           if (request == null) {
               return null;
           }
           String requestParamValue = request.getParameter(paramName);
           if (requestParamValue == null) {
               requestParamValue = 
ServletRequestUtils.unwrapHttpServletRequest(request).getParameter(paramName);
           }
           return requestParamValue;
       }
   ```
   Then the above change would look like:
   ```
   } else if 
(CLIENT_CREDENTIALS.equals(ServletRequestUtils.getRequestParam(GRANT_TYPE)))
   ```
   I did the same in my KnoxIDF branch, which I realized it should not be 
scoped to my [KnoxIDF 
TokenResource.](https://github.com/smolnar82/knox/blob/knox_idf_smolnar/gateway-service-knoxidf/src/main/java/org/apache/knox/gateway/service/knoxidf/TokenResource.java#L387C1-L393C6)





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1018771)
    Time Spent: 1h 50m  (was: 1h 40m)

> Client Credentials Flow with HTTP Basic needs Unwrapped Servlet Request
> -----------------------------------------------------------------------
>
>                 Key: KNOX-3312
>                 URL: https://issues.apache.org/jira/browse/KNOX-3312
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Current implementation can't get to the grant_type request param.
> Unit tests mock out the requests and make it hard to tease this out as an 
> issue.
> When we know that there is an Authorization header and that it is Basic then 
> we need to check whether there is the hardcoded username of token or passcode 
> and if not, unwrap the request to check for a grant_type for OAuth 
> client_credentials and handle it appropriately.
> Current implementation tries to check that but the params are hidden by the 
> wrappers.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)