[jira] [Work logged] (KNOX-3312) Client Credentials Flow with HTTP Basic needs Unwrapped Servlet Request

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3312?focusedWorklogId=1018844&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1018844
 ]

ASF GitHub Bot logged work on KNOX-3312:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 05/May/26 19:14
            Start Date: 05/May/26 19:14
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #1219:
URL: https://github.com/apache/knox/pull/1219#discussion_r3190944769


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -361,12 +361,15 @@ private Pair<TokenType, String> 
parseFromHTTPBasicCredentials(final String heade
       String passcode = values[1].isEmpty() ? null : values[1];
       if (TOKEN.equalsIgnoreCase(username) || 
PASSCODE.equalsIgnoreCase(username)) {
           parsed = Pair.of(TOKEN.equalsIgnoreCase(username) ? TokenType.JWT : 
TokenType.Passcode, passcode);
-      } else if (request != null && 
CLIENT_CREDENTIALS.equals(request.getParameter(GRANT_TYPE))) {
-          // Allow client_credentials flow where client_id/client_secret are 
provided via HTTP Basic
-          if (passcode != null) {
-            validateClientID(username, passcode);
-            parsed = Pair.of(TokenType.Passcode, passcode);
-          }
+      } else if (request != null) {
+          HttpServletRequest unwrappedRequest = 
ServletRequestUtils.unwrapHttpServletRequest(request);

Review Comment:
   As indicated offline, the reason for the wrapping was added in #719 by 
@zeroflag a couple years ago.
   I do agree with the proposal of having clear method names, and I still think 
that having a utility method is a good idea.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1018844)
    Time Spent: 2h 10m  (was: 2h)

> Client Credentials Flow with HTTP Basic needs Unwrapped Servlet Request
> -----------------------------------------------------------------------
>
>                 Key: KNOX-3312
>                 URL: https://issues.apache.org/jira/browse/KNOX-3312
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> Current implementation can't get to the grant_type request param.
> Unit tests mock out the requests and make it hard to tease this out as an 
> issue.
> When we know that there is an Authorization header and that it is Basic then 
> we need to check whether there is the hardcoded username of token or passcode 
> and if not, unwrap the request to check for a grant_type for OAuth 
> client_credentials and handle it appropriately.
> Current implementation tries to check that but the params are hidden by the 
> wrappers.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)