Using a token to create a new token causes a nested username glitch

Symptoms: When using a token to grant sub-tokens (E.G. to distribute to users), the usernames generated add on an additional "token:" to the username

Steps to reproduce:

1. Use Basic Auth to create an Admin token:

curl -uadmin:password -d "username=root_token" -d "scope=jfrt@01dwk20xk6nr2s1w2xmw5x14ew:admin" http://artifactory.com/artifactory/api/security/token

*

{ "scope" : "jfrt@01dwk20xk6nr2s1w2xmw5x14ew:admin api:*", "access_token" : "eyJ[...] "expires_in" : 3600, "token_type" : "Bearer" }

*

2. Use this token to create a non-admin sub-token that belongs to 2 groups:
curl -H"Authorization: Bearer $root_token" -d "username=sub_token" -d "scope=member-of-groups:readers,sub-group" http://artifactory.com/artifactory/api/security/token

{
"scope" : "member-of-groups:readers,sub-group api:",*
"access_token" : "eyJ[...]
"expires_in" : 3600,
"token_type" : "Bearer"
}

3. Attempt to create a nested sub-token with a lesser scope (1 group):

curl -H "Authorization: Bearer $sub_token" -d "username=sub_token" -d "scope=member-of-groups:readers" [http://artifactory.com/artifactory/api/security/token

*

{ "error" : "invalid_request", "error_description" : "User token:sub_token can only create user token for himself (requested: sub_token)" }

*

The only way to create the nested sub-token is to use "token:sub_token" for the username field:
curl -H "Authorization: Bearer $sub_token" -d "username=token:sub_token" -d "scope=member-of-groups:readers" http://mill.jfrog.info:12224/artifactory/api/security/token

{ "scope" : "member-of-groups:readers api:*", "access_token" : "eyJ2[...] "expires_in" : 3600, "token_type" : "Bearer" }

 

This creates a new, further nested token "token:token:sub_token". 

 

Because of this behavior users cannot easily use tokens as a password for transient users. This creates problems when a CLI client like Docker cannot use the "authorization: Bearer" header directly.