KNOX-3272: Improved OAuth flow checks and return 401 in case of missing client ID or invalid client secret

[smolnar82]

KNOX-3272 - Client credential flow validation issues

What changes were proposed in this pull request?

This PR fixes two things:

1. In case of invalid client_secret, the response code is 401 (it was 400)
2. No longer possible to validate a client credentials flow request without the client_id

How was this patch tested?

Updated existing JUnit tests and added a new one to cover point 2.) from above.

I also ran some manual testing:

First, I added the CLIENTID service to the sandbox topology, and acquired a client_id/client_secret pair

    <service>
        <role>CLIENTID</role>
        <param>
            <name>knox.token.exp.server-managed</name>
            <value>true</value>
        </param>
        <param>
            <name>knox.token.limit.per.user</name>
            <value>-1</value>
        </param>
    </service>

$ curl -ku admin:admin-password -X GET 'https://localhost:8443/gateway/sandbox/clientid/api/v1/oauth/credentials'
{"client_secret":"TVdZMVlqaGtZemd0WXpreU5TMDBOek00TFRoall6SXRORFEyT1dFek1HWTJaV1UwOjpaVGd4T1RJeFlqTXRaVGcwTXkwME9URXpMV0prWkdZdFpqa3pNRFl3TlRobVl6QXg=","client_id":"1f5b8dc8-c925-4738-8cc2-4469a30f6ee4"}

Then I validated my changes. I created a new tokenbased topology with the KNOXTOKEN service (that simulates the protected backend service):

<topology>
   <name>tokenbased</name>
   <gateway>
     <provider>
        <role>federation</role>
        <name>JWTProvider</name>
        <enabled>true</enabled>
        <param>
            <name>knox.token.exp.server-managed</name>
            <value>true</value>
         </param>
     </provider>
   </gateway>
   <service>
      <role>KNOXTOKEN</role>
      <param>
         <name>knox.token.ttl</name>
         <value>10368000000</value>
      </param>
      <param>
         <name>knox.token.exp.server-managed</name>
         <value>true</value>
      </param>
   </service>

</topology>

Tried to get a token without client_id:

$ curl -ik -X POST -H  'Content-Type: application/x-www-form-urlencoded' -d 'client_secret=TVdZMVlqaGtZemd0WXpreU5TMDBOek00TFRoall6SXRORFEyT1dFek1HWTJaV1UwOjpaVGd4T1RJeFlqTXRaVGcwTXkwME9URXpMV0prWkdZdFpqa3pNRFl3TlRobVl6QXg=&grant_type=client_credentials' https://localhost:8443/gateway/tokenbased/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 605
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Client credentials flow with mismatching client_id and client_secret</title>
</head>
<body><h2>HTTP ERROR 401 Client credentials flow with mismatching client_id and client_secret</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenbased/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Client credentials flow with mismatching client_id and client_secret</td></tr>
<tr><th>SERVLET:</th><td>tokenbased-knox-gateway-servlet</td></tr>
</table>

</body>
</html>

Tried to get a token with an invalid client_secret (note the smolnar_ prefix):

$ curl -ik -X POST -H  'Content-Type: application/x-www-form-urlencoded' -d 'client_id=1f5b8dc8-c925-4738-8cc2-4469a30f6ee4&client_secret=smolnar_TVdZMVlqaGtZemd0WXpreU5TMDBOek00TFRoall6SXRORFEyT1dFek1HWTJaV1UwOjpaVGd4T1RJeFlqTXRaVGcwTXkwME9URXpMV0prWkdZdFpqa3pNRFl3TlRobVl6QXg=&grant_type=client_credentials' https://localhost:8443/gateway/tokenbased/knoxtoken/api/v1/token
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 539
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Error while parsing the received client secret</title>
</head>
<body><h2>HTTP ERROR 401 Error while parsing the received client secret</h2>
<table>
<tr><th>URI:</th><td>/gateway/tokenbased/knoxtoken/api/v1/token</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Error while parsing the received client secret</td></tr>
<tr><th>SERVLET:</th><td>tokenbased-knox-gateway-servlet</td></tr>
</table>

</body>
</html>

Tested the happy path too:

$ curl -ik -X POST -H  'Content-Type: application/x-www-form-urlencoded' -d 'client_id=1f5b8dc8-c925-4738-8cc2-4469a30f6ee4&client_secret=TVdZMVlqaGtZemd0WXpreU5TMDBOek00TFRoall6SXRORFEyT1dFek1HWTJaV1UwOjpaVGd4T1RJeFlqTXRaVGcwTXkwME9URXpMV0prWkdZdFpqa3pNRFl3TlRobVl6QXg=&grant_type=client_credentials' https://localhost:8443/gateway/tokenbased/knoxtoken/api/v1/token
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2026 12:58:02 GMT
Content-Type: application/json
Content-Length: 2489

{"access_token":"eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4NDQzL2dhdGV3YXkvdG9rZW5iYXNlZC9rbm94dG9rZW4vYXBpL3YxL2p3a3MuanNvbiIsImtpZCI6ImJYUzQ5dHRZdUJva2pXRDRvbHVLLTdvRDFCcjkxZ2Ezd0RtSnZtdWx6bmciLCJ0eXAiOiJKV1...TTRabVJrWVRRek1qQTU="}

Integration Tests

N/A

UI changes

N/A

[github-actions]

Test Results

7 tests   7 ✅  1s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 13415ba.