[
https://issues.apache.org/jira/browse/KNOX-3260?focusedWorklogId=1006697&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006697
]
ASF GitHub Bot logged work on KNOX-3260:
----------------------------------------
Author: ASF GitHub Bot
Created on: 23/Feb/26 16:46
Start Date: 23/Feb/26 16:46
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #1154:
URL: https://github.com/apache/knox/pull/1154#discussion_r2841902133
##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -334,23 +342,44 @@ private Pair<TokenType, String>
parseFromClientCredentialsFlow(ServletRequest re
if (clientSecretPresentAsQueryString) {
throw new SecurityException("client_secret must not be sent as a query
parameter");
}
- return getClientCredentialsFromRequestBody(request);
+ return getTokenFromRequestBody(request);
}
- private Pair<TokenType, String>
getClientCredentialsFromRequestBody(ServletRequest request) {
+ private Pair<TokenType, String> getTokenFromRequestBody(ServletRequest
request) {
final String grantType = request.getParameter(GRANT_TYPE);
if (CLIENT_CREDENTIALS.equals(grantType)) {
- // this is indeed a client credentials flow client_id and
- // client_secret are expected now the client_id will be in
- // the token as the token_id so we will get that later
+ // client credentials flow: client_id and client_secret are expected
+ // the client_id will be in the token as the token_id
final String clientSecret = request.getParameter(CLIENT_SECRET);
validateClientID((HttpServletRequest) request, clientSecret);
return Pair.of(TokenType.Passcode, clientSecret);
+ } else if (REFRESH_TOKEN.equals(grantType)) {
+ // refresh_token flow: the refresh_token parameter contains the
actual token
+ final String refreshToken =
request.getParameter(REFRESH_TOKEN_PARAM);
+ if (refreshToken != null) {
+ // determine if it's a JWT or passcode token
+ if (isJWT(refreshToken)) {
+ return Pair.of(TokenType.JWT, refreshToken);
+ } else {
+ return Pair.of(TokenType.Passcode, refreshToken);
+ }
+ }
+ } else if (TOKEN_EXCHANGE.equals(grantType)) {
+ // token_exchange flow: the subject_token parameter contains the
token to be exchanged
+ final String subjectToken = request.getParameter(SUBJECT_TOKEN);
+ if (subjectToken != null) {
+ // determine if it's a JWT or passcode token
+ if (isJWT(subjectToken)) {
+ return Pair.of(TokenType.JWT, subjectToken);
+ } else {
+ return Pair.of(TokenType.Passcode, subjectToken);
+ }
Review Comment:
@smolnar82 - this one seems to be obsolete since decoupling the PRs as well.
Issue Time Tracking
-------------------
Worklog Id: (was: 1006697)
Time Spent: 50m (was: 40m)
> Extend Client Credentials Support to include the client_id and client_secret
> as HTTP Basic
> ------------------------------------------------------------------------------------------
>
> Key: KNOX-3260
> URL: https://issues.apache.org/jira/browse/KNOX-3260
> Project: Apache Knox
> Issue Type: New Feature
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Many OAuth clients for client credentials only support HTTP basic credentials
> + grant_type headers.
> Extend the existing support for HTTP Basic that is there for passcode and
> JWT's as passwords to support but client_id and client_secret when the
> grant_type is also client_credentials.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
