Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2266

Tokens Should Include a Unique Identifier

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.0
    • Fix Version/s: 1.4.0
    • Component/s: Server
    • Labels:
      None

      Description

      It has recently been discovered that the Knox Token service will issue duplicate tokens to clients making concurrent requests separated by milliseconds or less. This is due to the nimbus JWT library truncating expiration times to units of seconds.

      For many use cases, this is probably not an issue. However, as soon a support for token renewal and revocation is enabled, there is the potential for actions intended for one client's token to have unexpected effects on other client's tokens. This problem is potentially exacerbated in HA Knox deployments, whereby multiple Knox instances can receive simultaneous requests for tokens.

      These issued tokens must be unique.

      The inclusion of a private claim, the value of which is a UUID, would yield such unique tokens.

      An additional advantage of this is that the TokenStateService can use these UUIDs instead of the Base64-encoded tokens themselves as keys for the associated state. This will alleviate some limitations associated with the implementations of this service (e.g., Java keystore lower-cases aliases).

       

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              pzampino Philip Zampino
              Reporter:
              pzampino Philip Zampino

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h
                2h

                  Issue deployment