Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow jwt bearer with empty secret #3233

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

Allow jwt bearer with empty secret #3233

wants to merge 7 commits into from
+22 −36

Conversation

strehle
Copy link
Member

@strehle strehle commented Jan 16, 2025
edited
Loading

Remove checks in REST call

Move the check for existing secrets to the
grant flow (runtime) and remove it from REST (configuration).

@strehle strehle linked an issue Jan 16, 2025 that may be closed by this pull request
Cleanup UAA Client Secret Setting and Ensure Authentication on Client Credentials Grant Flow #3232
Closed
@strehle strehle force-pushed the fix/issue/3232 branch 2 times, most recently from 9485cf2 to 5410f9d Compare January 16, 2025 09:43
@strehle
Copy link
Member Author

strehle commented Jan 16, 2025

https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=3233

@strehle strehle marked this pull request as ready for review January 16, 2025 09:54
@strehle strehle requested review from a team January 16, 2025 10:34
@strehle
Refactoring to fix issue #3232
0f7bfbe 
Move the check for existing secrets to the
grant flow (runtime) and remove it from REST (configuration).

We support now private_key_jwt next to secret, so check all parts in REST is too less and will get complicated.
Fix a potential security issue because we must not create a token based on no authentication
@strehle
Tests to allow client creation without secret checks
092acdd
@strehle strehle removed a link to an issue Feb 12, 2025
Cleanup UAA Client Secret Setting and Ensure Authentication on Client Credentials Grant Flow #3232
Closed
@strehle strehle linked an issue Feb 12, 2025 that may be closed by this pull request
Allow jwt bearer with empty secret - thus password grant is allowed #3286
Open
@strehle strehle changed the title Refactoring to fix issue #3232 Allow jwt bearer with empty secret Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@duanemay duanemay Awaiting requested review from duanemay

@torsten-sap torsten-sap Awaiting requested review from torsten-sap

@adrianhoelzl-sap adrianhoelzl-sap Awaiting requested review from adrianhoelzl-sap

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Status: Pending Review | Discussion
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow jwt bearer with empty secret - thus password grant is allowed
1 participant
@strehle