Philip Zampino created KNOX-2266:
------------------------------------
Summary: Tokens Should Include a Unique Identifier
Key: KNOX-2266
URL: https://issues.apache.org/jira/browse/KNOX-2266
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.4.0
Reporter: Philip Zampino
Assignee: Philip Zampino
Fix For: 1.4.0
It has recently been discovered that the Knox Token service will issue
duplicate tokens to clients making concurrent requests separated by
milliseconds or less. This is due to the nimbus JWT library truncating
expiration times to units of seconds.
For many use cases, this is probably not an issue. However, as soon a support
for token renewal and revocation is enabled, there is the potential for actions
intended for one client's token to have unexpected effects on other client's
tokens. This problem is potentially exacerbated in HA Knox deployments, whereby
multiple Knox instances can receive simultaneous requests for tokens.
These issued tokens must be unique.
The inclusion of a private claim, the value of which is a UUID, would yield
such unique tokens.
An additional advantage of this is that the TokenStateService can use these
UUIDs instead of the Base64-encoded tokens themselves as keys for the
associated state. This will alleviate some limitations associated with the
implementations of this service (e.g., Java keystore lower-cases aliases).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
