[jira] [Work logged] (KNOX-3260) Extend Client Credentials Support to include the client_id and client_secret as HTTP Basic

ASF GitHub Bot (Jira) Mon, 23 Feb 2026 05:28:28 -0800


     [ 
https://issues.apache.org/jira/browse/KNOX-3260?focusedWorklogId=1006659&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006659
 ]


ASF GitHub Bot logged work on KNOX-3260:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Feb/26 13:27
            Start Date: 23/Feb/26 13:27
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #1154:
URL: https://github.com/apache/knox/pull/1154#discussion_r2839917284


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -334,23 +342,44 @@ private Pair<TokenType, String> 
parseFromClientCredentialsFlow(ServletRequest re
       if (clientSecretPresentAsQueryString) {
         throw new SecurityException("client_secret must not be sent as a query 
parameter");
       }
-      return getClientCredentialsFromRequestBody(request);
+      return getTokenFromRequestBody(request);
     }
 
-    private Pair<TokenType, String> 
getClientCredentialsFromRequestBody(ServletRequest request) {
+    private Pair<TokenType, String> getTokenFromRequestBody(ServletRequest 
request) {
         final String grantType = request.getParameter(GRANT_TYPE);
         if (CLIENT_CREDENTIALS.equals(grantType)) {
-          // this is indeed a client credentials flow client_id and
-          // client_secret are expected now the client_id will be in
-          // the token as the token_id so we will get that later
+          // client credentials flow: client_id and client_secret are expected
+          // the client_id will be in the token as the token_id
           final String clientSecret = request.getParameter(CLIENT_SECRET);
           validateClientID((HttpServletRequest) request, clientSecret);
           return Pair.of(TokenType.Passcode, clientSecret);
+        } else if (REFRESH_TOKEN.equals(grantType)) {
+          // refresh_token flow: the refresh_token parameter contains the 
actual token
+          final String refreshToken = 
request.getParameter(REFRESH_TOKEN_PARAM);
+          if (refreshToken != null) {
+            // determine if it's a JWT or passcode token
+            if (isJWT(refreshToken)) {
+              return Pair.of(TokenType.JWT, refreshToken);
+            } else {
+              return Pair.of(TokenType.Passcode, refreshToken);
+            }
+          }
+        } else if (TOKEN_EXCHANGE.equals(grantType)) {
+          // token_exchange flow: the subject_token parameter contains the 
token to be exchanged
+          final String subjectToken = request.getParameter(SUBJECT_TOKEN);
+          if (subjectToken != null) {
+            // determine if it's a JWT or passcode token
+            if (isJWT(subjectToken)) {
+              return Pair.of(TokenType.JWT, subjectToken);
+            } else {
+              return Pair.of(TokenType.Passcode, subjectToken);
+            }

Review Comment:
   This could be:
   ```
   } else if (REFRESH_TOKEN.equals(grantType)) {
     getRefreshOrSubjectToken(REFRESH_TOKEN_PARAM);
   } else if (TOKEN_EXCHANGE.equals(grantType)) {
     getRefreshOrSubjectToken(SUBJECT_TOKEN);
   }
   ...
   
   
   private Pair<TokenType, String> getRefreshOrSubjectToken(String 
requestParamName) {
     final String refreshOrSubjectToken = 
request.getParameter(requestParamName);
     if (refreshOrSubjectToken != null) {
        return isJWT(refreshOrSubjectToken) ? return Pair.of(TokenType.JWT, 
refreshOrSubjectToken) : return Pair.of(TokenType.Passcode, 
refreshOrSubjectToken);
     }
     return null;
   }
   ```



##########
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/OAuthFlowsFederationFilterTest.java:
##########
@@ -76,6 +78,28 @@ public void testGetWireTokenUsingClientCredentialsFlow() 
throws Exception {
       assertEquals(passcode, wireToken.getRight());
     }
 
+    @Test
+    public void testGetWireTokenUsingClientCredentialsBasicAuth() throws 
Exception {

Review Comment:
   Many of the below test duplicate code, I think there might be a way to 
remove most of it.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1006659)
    Time Spent: 20m  (was: 10m)

> Extend Client Credentials Support to include the client_id and client_secret 
> as HTTP Basic
> ------------------------------------------------------------------------------------------
>
>                 Key: KNOX-3260
>                 URL: https://issues.apache.org/jira/browse/KNOX-3260
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Many OAuth clients for client credentials only support HTTP basic credentials 
> + grant_type headers.
> Extend the existing support for HTTP Basic that is there for passcode and 
> JWT's as passwords to support but client_id and client_secret when the 
> grant_type is also client_credentials.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (KNOX-3260) Extend Client Credentials Support to include the client_id and client_secret as HTTP Basic

Reply via email to