Larry McCay created KNOX-3145:
---------------------------------
Summary: Ensure that the CLIENT_ID presented with a CLIENT_SECRET
is the owner of the secret
Key: KNOX-3145
URL: https://issues.apache.org/jira/browse/KNOX-3145
Project: Apache Knox
Issue Type: Improvement
Components: Server
Reporter: Larry McCay
Assignee: Larry McCay
Fix For: 2.2.0
Currently, the support for client_id and client_secret treats the inclusion of
the CLIENT_ID as a formality of the client credentials flow and since the
actual client_id is resolvable from the client_secret, it is ignored.
While there it may be arguable whether we need to enforce this, it seems a
reasonable expectation that they should match. Let's close that gap.
We may need to decide whether we want to make that configurable. Is there a
feature hidden in there somewhere?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
