-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KNOX-3037 - Client credentials flow accepts essential parameters in the request body only #906
Conversation
Cc. @kardolus |
f407740
to
1c28262
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already made comments on this.
…he request body only
@lmccay - please review the new patchset. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
+1
// the token as the token_id so we will get that later | ||
token = request.getParameter(CLIENT_SECRET); | ||
parsed = Pair.of(TokenType.Passcode, token); | ||
if (request.getParameter(CLIENT_SECRET) != null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is to disallow the secret in a query param? Does it matter that this method (getParameter(String)) also returns posted form param values in addition to query param values?
What changes were proposed in this pull request?
As described in the corresponding JIRA, Knox no longer accepts the
grant_type
andclient_secret
as query parameters. Instead, they should be passed in the request body.For reviewers: I'm not satisfied with the
WARN
message I added in case the client secret is passed as a query param. I'm hoping for a better sentence from someone :)How was this patch tested?
Added JUnit tests and conducted manual testing:
-G
option in thecurl
command:Relevant gateway.log: