Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-20921

Using a token to create a new token causes a nested username glitch

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: 4 - Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Access Tokens
    • Labels:
      None
    • Severity:
      Medium

      Description

      Symptoms: When using a token to grant sub-tokens (E.G. to distribute to users), the usernames generated add on an additional "token:" to the username

      Steps to reproduce:

      1. Use Basic Auth to create an Admin token:

      curl -uadmin:password -d "username=root_token" -d "scope=jfrt@01dwk20xk6nr2s1w2xmw5x14ew:admin" http://artifactory.com/artifactory/api/security/token

      *

      { "scope" : "jfrt@01dwk20xk6nr2s1w2xmw5x14ew:admin api:*", "access_token" : "eyJ[...] "expires_in" : 3600, "token_type" : "Bearer" }

      *

      2. Use this token to create a non-admin sub-token that belongs to 2 groups:
      curl -H"Authorization: Bearer $root_token" -d "username=sub_token" -d "scope=member-of-groups:readers,sub-group" http://artifactory.com/artifactory/api/security/token

      {
      "scope" : "member-of-groups:readers,sub-group api:",*
      "access_token" : "eyJ[...]
      "expires_in" : 3600,
      "token_type" : "Bearer"
      }

      3. Attempt to create a nested sub-token with a lesser scope (1 group):

      curl -H "Authorization: Bearer $sub_token" -d "username=sub_token" -d "scope=member-of-groups:readers" [http://artifactory.com/artifactory/api/security/token

      *

      { "error" : "invalid_request", "error_description" : "User token:sub_token can only create user token for himself (requested: sub_token)" }

      *

      http://artifactory.com/artifactory/api/security/token]

      The only way to create the nested sub-token is to use "token:sub_token" for the username field:
      curl -H "Authorization: Bearer $sub_token" -d "username=token:sub_token" -d "scope=member-of-groups:readers" http://mill.jfrog.info:12224/artifactory/api/security/token

      { "scope" : "member-of-groups:readers api:*", "access_token" : "eyJ2[...] "expires_in" : 3600, "token_type" : "Bearer" }

       

      This creates a new, further nested token "token:token:sub_token". 

       

      Because of this behavior users cannot easily use tokens as a password for transient users. This creates problems when a CLI client like Docker cannot use the "authorization: Bearer" header directly.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            patrickr Patrick Russell
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Sync Status

                Connection: RTFACT Sync
                RTMID-20921 -
                SYNCHRONIZED
                • Last Sync Date: