[jira] [Commented] (KNOX-850) KnoxToken API for Acquiring a Knox Access Token

Sun, 05 Feb 2017 13:38:20 -0800 

    [ 
https://issues.apache.org/jira/browse/KNOX-850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853376#comment-15853376
 ] 

ASF subversion and git services commented on KNOX-850:
------------------------------------------------------

Commit 47c1f4ac2ec942cad7472f7aa3ef6201b96f1e0b in knox's branch 
refs/heads/master from [~lmccay]
[ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=47c1f4a ]

KNOX-850 - KnoxToken API for Acquiring a Knox Access Token


> KnoxToken API for Acquiring a Knox Access Token
> -----------------------------------------------
>
>                 Key: KNOX-850
>                 URL: https://issues.apache.org/jira/browse/KNOX-850
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>              Labels: kip-4
>             Fix For: 0.12.0
>
>
> The cookie used in KnoxSSO contains an underlying JWT token to represent the 
> authentication event and the audiences for which it is valid.
> This feature will allow an API client to directly request a Knox access token 
> based on the configured authentication provider for the token service. This 
> will essentially allow a client to exchange HTTP basic credentials for an 
> access token that can be used until it expires.
> There are a number of usecases for this token format for direct API access:
> 1. Through the use of a related CLI command for acquiring a token, KnoxShell 
> scripts or programs can collect the token with a new required 
> CredentialCollector from the user's home directory and issue REST API 
> requests using it as a Bearer token credential. This allows the user to only 
> provide initial credentials to the knox login CLI and have an SSO session 
> based on the token until expiration. Similar to kerberos kinit with user 
> credentials.
> 2. Similarly, headless, scheduled scripts and programs can run using this 
> same sort of credential in more of a kerberos keytab manner. Meaning, the 
> token has a very long or never expiring lifetime. OPEN QUESTION: keytabs are 
> invalidated when the user's password changes - how do we provide such an 
> out-of-band invalidation?
> 3. There may also be webapp usecases for access token use.
> Will need to have complementing JIRAs for knox login CLI, KnoxToken 
> credential collector and to add a federation provider that accepts the access 
> token as a bearer token.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to