You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/04/22 12:49:00 UTC

[jira] [Commented] (KNOX-2734) Exclude token passcode from KnoxToken responses when server-managed state is disabled.

    [ https://issues.apache.org/jira/browse/KNOX-2734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17526402#comment-17526402 ] 

ASF subversion and git services commented on KNOX-2734:
-------------------------------------------------------

Commit 0b6bf4f852aa9c0f5806d9ba4f3bcb6a62798900 in knox's branch refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=0b6bf4f85 ]

KNOX-2734 - Passcode token is optional in TokenResource's response (#562)



> Exclude token passcode from KnoxToken responses when server-managed state is disabled.
> --------------------------------------------------------------------------------------
>
>                 Key: KNOX-2734
>                 URL: https://issues.apache.org/jira/browse/KNOX-2734
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Responses from the KnoxToken service include a passcode, which is only relevant/valid if the server-managed token state is enabled. In the case that it is disabled, the passcode should not be included in the responses.
> {noformat}
> {
>   "access_token": "eyJqa3UiOiJodHRwczpcL1wvc3NnM2RsLW1hc3RlcjAuc3NnZTMueGN1Mi04eTh4LmRldi5jbGRyLndvcms6ODQ0M1wvc3NnM2RsXC9rdC1rZXJiZXJvc1wva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJaWFF3UWtKMnNIMzNoUThYNEFlM05VODJKMTYySlBlYVRVMWZqazE3VzI4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJjc3NvX3NzZXRoIiwiamt1IjoiaHR0cHM6XC9cL3NzZzNkbC1tYXN0ZXIwLnNzZ2UzLnhjdTItOHk4eC5kZXYuY2xkci53b3JrOjg0NDNcL3NzZzNkbFwva3Qta2VyYmVyb3NcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoiWlhRd1FrSjJzSDMzaFE4WDRBZTNOVTgySjE2MkpQZWFUVTFmamsxN1cyOCIsImlzcyI6IktOT1hTU08iLCJleHAiOjE2NTA0MTYwMzEsIm1hbmFnZWQudG9rZW4iOiJmYWxzZSIsImtub3guaWQiOiJmMGFlYzNjNC1kNzVhLTQ0M2ItODQ2YS1kM2FmMTNlNmJlOTEifQ.DFkepUDw6Nt9KhyOoz_u4cfMYkPlSiifZHEsj6Es5Ymy4BtASt4we3kWQc_NMAllRkL5HFK3ZZ58aFUbJvyjwklQpRQABMHSZuIkURcmz8dctH_JfWX_WtXyzwRd-KGDdLrHSn-x4tTjfc0iXdoxxqr-9wJNmcXcMZyQO3aJHV38q2hbSc9Muht_tbe_UgfI_ukfloDHxL9tWRctitjmz3T7H0SpJKxdvspIz-PaSvOOeNqTfCOKgY0hpK_CkBr1NjkyASjCyAz0hq41COt1BMbWc6djgTBl9C6bXNa1Abhn_e87Hh1kDBUdOIAd7Sbpd12oiH92ZQOnfnE0-yLS5Q",
>   "token_id": "f0aec3c4-d75a-443b-846a-d3af13e6be91",
>   "managed": "false",
>   "endpoint_public_cert": "MIIE2DCCA0CgAwIBAgIJAPUXM8vonvD6MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDnNzZzNkbC1tYXN0ZXIwMB4XDTIyMDMwMzE5NDcyNFoXDTIzMDMwMzIzNTk1OVowUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMTUwMwYDVQQDDCxzc2czZGwtbWFzdGVyMC5zc2dlMy54Y3UyLTh5OHguZGV2LmNsZHIud29yazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAN8XxFrYQiU4tnXrQ2TAyT2uQuCzmL38V7tyD15HQdhq3EHJkUx5bMS4XLkVuItBvDCLGwsAHEzqdzqrpuhP8XMqDbkviCamp8r3NKHrjlaDn9UIFKQ8pHPKsaTjt55lG0zrrUs4zTBq8O9Bn5AW5+QdBwGJG7ewiGXTuRso8mSzW8U2lUdS3WzhkN6TN01AyxibEfbRmWW1YFCXZfRLnfxF2h4uqkgLm7R5lQvKkOpzMim1ytgm/83wRIgY/ON/NK0Qxc1evMRyJWp+PF9qph89M3jy5edA6Hrdqq3eK2h7ZWQO7Z5n5iaFrASVI18LLsVzr+lrYnM1iiQo97GNU6NA81Rsyp/wmpRnl9Pe54H8aVEmnnujozdUISDzToXQjY3bYaMVGnws/Ui4k4oQFBbQYMx1CoU7raqbbTmzzHyL6P2As99ECwq4ATYvLeBeuNpBduBcC9e3YLQTbRRI1bz4wofh/roLVnZwTaoISRInO7LWzHv6fgxPUNbpnUVu4wIDAQABo4HqMIHnMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLYZL7P+P4yj5Yj2qhRzj2FNClemMB8GA1UdIwQYMBaAFPwwgDQrb+s4lS88JgMczSwtQctAMA4GA1UdDwEB/wQEAwIDqDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYDVR0RBF4wXIIsc3NnM2RsLWdhdGV3YXkuc3NnZTMueGN1Mi04eTh4LmRldi5jbGRyLndvcmuCLHNzZzNkbC1tYXN0ZXIwLnNzZ2UzLnhjdTItOHk4eC5kZXYuY2xkci53b3JrMA0GCSqGSIb3DQEBCwUAA4IBgQCtYFcvUJgvhpNL0lrWP8/fHEbC3lO48gPK+7/fh/+9ZOj6xvbn5w9l0OB598msu0b5UOpd/xPynKYZSpP4JuyAD2cxzE4JUlqSfVtuIgaL+iQ/qkv64o4q1HAZKwUanL8ysWjuckz13U1iNf+ZMc17jYE0SCeJlDG+AOHYQeOq9JtvdiyjbQKvMFfPEv+nrSqqVscSEMi1i5ghmO2LBA1RWGRnwABnlCNCC1Wj1xOTb6Rpx54DtjAEurCXrIFKbvlNosUwZ/EenMX/sn2EfmM22s3k9dQoWmWOrermNeOzT5tbNfp0wimkRfCS8DhNthdFM5mzCNNoQ0XBH1c7m83/0X8xq1AQ9hFKEtMD3jH2xnQUQoAi5IPqTxs+dX1HEEb5RtpAoR78S+HWTOIXi8umVFOKrMEeciU5z5I2Tzu/4YOz87qhlwVUhRYxIB2gXM3F8DdiBmg4lVO2aH8eAUSwjpDa+6oMnNq4lg5weF3Gy0YedgGn2A/QwetNK+C9oiU=",
>   "token_type": "Bearer",
>   "expires_in": 1650416031187,
>   "passcode": "WmpCaFpXTXpZelF0WkRjMVlTMDBORE5pTFRnME5tRXRaRE5oWmpFelpUWmlaVGt4OjpORGhsT0Rnek5UY3RZamcyTmkwME1UY3hMVGs1WTJFdE9EazVPRGM0TnpGalpqbG0="
> }{noformat}
> If a response includes *"managed" : "false"* , then it should NOT include the passcode.
> Moreover, even if the token is {_}managed{_}, but the underlying token state backend is only in-memory ({{{}gateway.service.tokenstate.impl = org.apache.knox.gateway.services.token.impl.DefaultTokenStateService{}}} in {{{}gateway-site.xml{}}}), the passcode should be excluded from the response too.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)