dimas-b commented on code in PR #1001:
URL: https://github.com/apache/polaris/pull/1001#discussion_r1960905977
##########
service/common/src/main/java/org/apache/polaris/service/auth/JWTBroker.java:
##########
@@ -86,10 +88,13 @@ public String getSub() {
@Override
public String getScope() {
- return decodedJWT.getClaim("scope").asString();
+ return decodedJWT.getClaim(CLAIM_KEY_SCOPE).asString();
}
};
+ } catch (TokenExpiredException e) {
+ LOGGER.error("Credentials have timed out with error", e);
+ throw new AuthenticationTimeoutException("Credentials have timed out");
Review Comment:
1) From a general security perspective, I believe is preferable to avoid
disclosing unnecessary information. A response that specifically indicates the
token has expired indicated that aside from the expiry date the token was
valid. This can be used as a leverage in attacks.
2) There appears to be [prior
usage](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes) of the 419
repose code by `Laravel Framework` with a _different_ meaning related to
"Cross-Site Request Forgery (CSRF)" tokens.
3) 419 is generally not used by any well-known IdPs, so it will be
impossible for Polaris to produce consistent response code when external IdPs
are supported.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
