Re: [PR] KNOX-3145 - Ensure Client Credentials flow client_secret belongs to t… [knox]

Tue, 06 May 2025 02:04:26 -0700 


smolnar82 commented on code in PR #1039:
URL: https://github.com/apache/knox/pull/1039#discussion_r2075043467


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -240,17 +242,34 @@ public void doFilter(ServletRequest request, 
ServletResponse response, FilterCha
         // The received token value must be a Base64 encoded value of 
Base64(tokenId)::Base64(rawPasscode)
         String tokenId = null;
         String passcode = null;
+        boolean prechecks = true;
         try {
           final String[] base64DecodedTokenIdAndPasscode = 
decodeBase64(tokenValue).split("::");
           tokenId = decodeBase64(base64DecodedTokenIdAndPasscode[0]);
           passcode = decodeBase64(base64DecodedTokenIdAndPasscode[1]);
+          // if this is a client credentials flow request then ensure the 
presented clientId is
+          // the actual owner of the client_secret
+          final String requestBodyString = getRequestBodyString(request);
+          if (requestBodyString != null && !requestBodyString.isEmpty()) {
+            final String grantType = 
RequestBodyUtils.getRequestBodyParameter(requestBodyString, GRANT_TYPE);
+            if (grantType != null && !grantType.isEmpty()) {
+              final String clientID = 
RequestBodyUtils.getRequestBodyParameter(requestBodyString, CLIENT_ID);
+              // if there is no client_id then this is not a client 
credentials flow
+              if (clientID != null && !tokenId.equals(clientID)) {
+                prechecks = false;
+                log.wrongPasscodeToken(tokenId);
+                handleValidationError((HttpServletRequest) request, 
(HttpServletResponse) response,
+                        HttpServletResponse.SC_UNAUTHORIZED,
+                        MISMATCHING_CLIENT_ID_AND_CLIENT_SECRET);
+              }
+            }
+          }

Review Comment:
   nit: I might have created a new `boolean validateClientCredentialsFlow(...)` 
method and assigned that to `prechecks`:
   ```
   try {
      ...
      prechecks = validateClientCredentialsFlow(...);
   } catch (Exception e) {
      ...
   }
   
   ...
   
   // if this is a client credentials flow request, then ensure the presented 
clientId is
   // the actual owner of the client_secret
   private boolean validateClientCredentialsFlow(...) {
      final String requestBodyString = getRequestBodyString(request);
      if (StringUtils.isNotBlank(requestBodyString )) {
         ...
      
   }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to