[jira] [Created] (KNOX-2266) Tokens Should Include a Unique Identifier

["Philip Zampino (Jira)" <ji...@apache.org>]

Philip Zampino created KNOX-2266:
------------------------------------

             Summary: Tokens Should Include a Unique Identifier
                 Key: KNOX-2266
                 URL: https://issues.apache.org/jira/browse/KNOX-2266
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 1.4.0
            Reporter: Philip Zampino
            Assignee: Philip Zampino
             Fix For: 1.4.0


It has recently been discovered that the Knox Token service will issue duplicate tokens to clients making concurrent requests separated by milliseconds or less. This is due to the nimbus JWT library truncating expiration times to units of seconds.

For many use cases, this is probably not an issue. However, as soon a support for token renewal and revocation is enabled, there is the potential for actions intended for one client's token to have unexpected effects on other client's tokens. This problem is potentially exacerbated in HA Knox deployments, whereby multiple Knox instances can receive simultaneous requests for tokens.

These issued tokens must be unique.

The inclusion of a private claim, the value of which is a UUID, would yield such unique tokens.

An additional advantage of this is that the TokenStateService can use these UUIDs instead of the Base64-encoded tokens themselves as keys for the associated state. This will alleviate some limitations associated with the implementations of this service (e.g., Java keystore lower-cases aliases).

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)