You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/03/09 18:19:00 UTC
[jira] [Work logged] (KNOX-2266) Tokens Should Include a Unique
Identifier
[ https://issues.apache.org/jira/browse/KNOX-2266?focusedWorklogId=400275&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-400275 ]
ASF GitHub Bot logged work on KNOX-2266:
----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Mar/20 18:18
Start Date: 09/Mar/20 18:18
Worklog Time Spent: 10m
Work Description: pzampino commented on pull request #284: KNOX-2266 - Tokens Should Include a Unique Identifier
URL: https://github.com/apache/knox/pull/284
## What changes were proposed in this pull request?
JWTs issued and validated by Knox now include a unique identifier as a private claim. This is mostly to guarantee token uniqueness, even for multiple requests within the same second.
Further, the TokenStateService has been updated to leverage this unique identifier as the key for handling token state. This identifier is less susceptible to the nuances of some storage mechanisms.
## How was this patch tested?
Mulitple existing tests were modified to accommodate this change while ensuring the maintenance of existing behavior. TokenServiceResourceTest#testConcurrentGetToken was added to validate these changes. I've also done a bit of manual testing.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 400275)
Remaining Estimate: 0h
Time Spent: 10m
> Tokens Should Include a Unique Identifier
> -----------------------------------------
>
> Key: KNOX-2266
> URL: https://issues.apache.org/jira/browse/KNOX-2266
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.4.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Fix For: 1.4.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It has recently been discovered that the Knox Token service will issue duplicate tokens to clients making concurrent requests separated by milliseconds or less. This is due to the nimbus JWT library truncating expiration times to units of seconds.
> For many use cases, this is probably not an issue. However, as soon a support for token renewal and revocation is enabled, there is the potential for actions intended for one client's token to have unexpected effects on other client's tokens. This problem is potentially exacerbated in HA Knox deployments, whereby multiple Knox instances can receive simultaneous requests for tokens.
> These issued tokens must be unique.
> The inclusion of a private claim, the value of which is a UUID, would yield such unique tokens.
> An additional advantage of this is that the TokenStateService can use these UUIDs instead of the Base64-encoded tokens themselves as keys for the associated state. This will alleviate some limitations associated with the implementations of this service (e.g., Java keystore lower-cases aliases).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)