Sandor Molnar created KNOX-3037:
-----------------------------------
Summary: Exposed client secret in gateway-audit.log
Key: KNOX-3037
URL: https://issues.apache.org/jira/browse/KNOX-3037
Project: Apache Knox
Issue Type: Bug
Reporter: Sandor Molnar
Fix For: 2.1.0
KNOX-3016 added the ability to support OAuth client credentials flow in Knox.
However, the current implementation expects those new parameters to be added as
query parameters. This approach can lead to a serious security issue because it
means the client secret would be logged in gateway-audit.log.
In the scope of this item, we should update the existing implementation to
accept the grant type and client secret parameters in the request body only.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
