lmccay commented on code in PR #1039:
URL: https://github.com/apache/knox/pull/1039#discussion_r2075515611
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -240,17 +242,34 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
// The received token value must be a Base64 encoded value of
Base64(tokenId)::Base64(rawPasscode)
String tokenId = null;
String passcode = null;
+ boolean prechecks = true;
try {
final String[] base64DecodedTokenIdAndPasscode =
decodeBase64(tokenValue).split("::");
tokenId = decodeBase64(base64DecodedTokenIdAndPasscode[0]);
passcode = decodeBase64(base64DecodedTokenIdAndPasscode[1]);
+ // if this is a client credentials flow request then ensure the
presented clientId is
+ // the actual owner of the client_secret
+ final String requestBodyString = getRequestBodyString(request);
+ if (requestBodyString != null && !requestBodyString.isEmpty()) {
+ final String grantType =
RequestBodyUtils.getRequestBodyParameter(requestBodyString, GRANT_TYPE);
+ if (grantType != null && !grantType.isEmpty()) {
+ final String clientID =
RequestBodyUtils.getRequestBodyParameter(requestBodyString, CLIENT_ID);
+ // if there is no client_id then this is not a client
credentials flow
+ if (clientID != null && !tokenId.equals(clientID)) {
+ prechecks = false;
+ log.wrongPasscodeToken(tokenId);
+ handleValidationError((HttpServletRequest) request,
(HttpServletResponse) response,
+ HttpServletResponse.SC_UNAUTHORIZED,
+ MISMATCHING_CLIENT_ID_AND_CLIENT_SECRET);
+ }
+ }
+ }
Review Comment:
Good call. I'll take care of it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
