Wrong using of certificates in ZAAS client #1513
Description
Describe the bug
ZAAS client requires to establish keystore. It is used for signing calls against Gateway. This is really needed just for endpoint where is necessary high security and it is only endpoint /ticket. For other endpoints, the behavior is strange if Gateway has enabled client certificates. In this case ZAAS client sign also login call and X509 authentication has higher priority. It means that Gateway authorizes the user by certificate CN and generates JWT for it. The purpose of call login by ZAAS is to verify an user of a different service. This is the security issue because users obtain JWT for a different user's name, which can have higher privileges (if CN is corresponding for a real user). Anyway, the next communication is not expected.
Steps to Reproduce
- start APIML with enabled client certificate
- call login in ZAAS client
Obtained JWT contains value sub fulfilled with CN from certificate, not by JSON in the body of request.
Expected behavior
ZAAS client shouldn't use client certificate for auth endpoint (login, logout and query).
Screenshots
If applicable, add screenshots to help explain your problem.
Logs
If applicable, add server logs collected at the time of your problem.
Details
- Version and build number: [e.g. 0.4.4-SNAPSHOT build # 155]
- we found it on FIX-it instance (19.2) after changing configuration of APIML, but this bug is in ZAAS client from the beginning and in APIML since it supports client certificates
- Test environment: [either defined Zowe test environment: Marist (1, 2, 3), River, or your own environment: z/OS version and z/OSMF version]
API Catalog Web UI (in case of API Catalog issue):
- OS: [e.g. macOS, Windows]
- Browser [e.g. Chrome, Safari]
- Version [e.g. 71.0.3578.98]
REST API client (in case of REST API issue):
- Technology: [e.g. Spring Boot, Node.js]
- OS: [e.g. Windows 10]
Additional context
Add any other context about the problem here.