Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2266

Tokens Should Include a Unique Identifier

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.0
    • Fix Version/s: 1.4.0
    • Component/s: Server
    • Labels:
      None

      Description

      It has recently been discovered that the Knox Token service will issue duplicate tokens to clients making concurrent requests separated by milliseconds or less. This is due to the nimbus JWT library truncating expiration times to units of seconds.

      For many use cases, this is probably not an issue. However, as soon a support for token renewal and revocation is enabled, there is the potential for actions intended for one client's token to have unexpected effects on other client's tokens. This problem is potentially exacerbated in HA Knox deployments, whereby multiple Knox instances can receive simultaneous requests for tokens.

      These issued tokens must be unique.

      The inclusion of a private claim, the value of which is a UUID, would yield such unique tokens.

      An additional advantage of this is that the TokenStateService can use these UUIDs instead of the Base64-encoded tokens themselves as keys for the associated state. This will alleviate some limitations associated with the implementations of this service (e.g., Java keystore lower-cases aliases).

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                pzampino Philip Zampino
                Reporter:
                pzampino Philip Zampino
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h