-
Type:
Bug
-
Status: Open
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Access Tokens
-
Labels:None
-
Severity:Medium
Symptoms: When using a token to grant sub-tokens (E.G. to distribute to users), the usernames generated add on an additional "token:" to the username
Steps to reproduce:
1. Use Basic Auth to create an Admin token:
curl -uadmin:password -d "username=root_token" -d "scope=jfrt@01dwk20xk6nr2s1w2xmw5x14ew:admin" http://artifactory.com/artifactory/api/security/token
*
{ "scope" : "jfrt@01dwk20xk6nr2s1w2xmw5x14ew:admin api:*", "access_token" : "eyJ[...] "expires_in" : 3600, "token_type" : "Bearer" }*
2. Use this token to create a non-admin sub-token that belongs to 2 groups:
curl -H"Authorization: Bearer $root_token" -d "username=sub_token" -d "scope=member-of-groups:readers,sub-group" http://artifactory.com/artifactory/api/security/token
{
"scope" : "member-of-groups:readers,sub-group api:",*
"access_token" : "eyJ[...]
"expires_in" : 3600,
"token_type" : "Bearer"
}
3. Attempt to create a nested sub-token with a lesser scope (1 group):
curl -H "Authorization: Bearer $sub_token" -d "username=sub_token" -d "scope=member-of-groups:readers" [http://artifactory.com/artifactory/api/security/token
*
{ "error" : "invalid_request", "error_description" : "User token:sub_token can only create user token for himself (requested: sub_token)" }*
http://artifactory.com/artifactory/api/security/token] |
The only way to create the nested sub-token is to use "token:sub_token" for the username field:
curl -H "Authorization: Bearer $sub_token" -d "username=token:sub_token" -d "scope=member-of-groups:readers" http://mill.jfrog.info:12224/artifactory/api/security/token
This creates a new, further nested token "token:token:sub_token".
Because of this behavior users cannot easily use tokens as a password for transient users. This creates problems when a CLI client like Docker cannot use the "authorization: Bearer" header directly.