Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix client assertion not send through POST body #253

Merged
merged 2 commits into from
Dec 17, 2024

Conversation

duytiennguyen-okta
Copy link
Contributor

@duytiennguyen-okta duytiennguyen-okta commented Dec 16, 2024

okta-aws-cli is using the private_key_jwt client authentication method for requesting access_tokens from the POST /oauth2/v1/token endpoint in a non-standard way that is accepted by the POST /oauth2/v1/token endpoint.
It includes the client_assertion in the query string of the request instead of in the POST body. This is problematic because query strings should never contain sensitive data as they are prone to being logged.
The purpose of this PR is to move client_assertion from query string to POST body to avoid being logged

Signed-off-by: Tien Nguyen <[email protected]>
Copy link
Collaborator

@monde monde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@duytiennguyen-okta duytiennguyen-okta merged commit 1c15230 into master Dec 17, 2024
5 checks passed
@duytiennguyen-okta duytiennguyen-okta deleted the OKTA-832467 branch December 17, 2024 03:52
@monde monde mentioned this pull request Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants