[jira] [Work logged] (KNOX-3145) Ensure that the CLIENT_ID presented with a CLIENT_SECRET is the owner of the secret

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3145?focusedWorklogId=968440&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-968440
 ]

ASF GitHub Bot logged work on KNOX-3145:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/May/25 19:01
            Start Date: 03/May/25 19:01
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request, #1038:
URL: https://github.com/apache/knox/pull/1038

   (It is very **important** that you created an Apache Knox JIRA for this 
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
   
   ## What changes were proposed in this pull request?
   
   Currently, the support for client_id and client_secret treats the inclusion 
of the CLIENT_ID as a formality of the client credentials flow and since the 
actual client_id is resolvable from the client_secret, it is ignored.
   
   While there it may be arguable whether we need to enforce this, it seems a 
reasonable expectation that they should match. Let's close that gap.
   
   We may need to decide whether we want to make that configurable. Is there a 
feature hidden in there somewhere?
   
   ## How was this patch tested?
   
   Ran existing unit tests and added new tests.
   Tested manually.
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 968440)
    Remaining Estimate: 0h
            Time Spent: 10m

> Ensure that the CLIENT_ID presented with a CLIENT_SECRET is the owner of the 
> secret
> -----------------------------------------------------------------------------------
>
>                 Key: KNOX-3145
>                 URL: https://issues.apache.org/jira/browse/KNOX-3145
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.2.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, the support for client_id and client_secret treats the inclusion 
> of the CLIENT_ID as a formality of the client credentials flow and since the 
> actual client_id is resolvable from the client_secret, it is ignored.
> While there it may be arguable whether we need to enforce this, it seems a 
> reasonable expectation that they should match. Let's close that gap.
> We may need to decide whether we want to make that configurable. Is there a 
> feature hidden in there somewhere?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)