I think my point was that line of sight isn't necessarily required. For LDAP based authentication, I suppose it is.
But for many SSO based flows it is not, as the browser is typically redirected and therefore would need line of sight but Knox wouldn't care until it redirected back with a cookie or the like. There are also cases where Knox will authenticate tokens (JWTs, passcode, etc) locally and not rely on other services or redirects, etc. So, it isn't necessarily an assumption for the entire feature but may be required for things like LDAP. On Mon, Feb 12, 2024 at 7:56 PM Sandeep Moré <moresand...@gmail.com> wrote: > Thanks Larry! > My numbering got messed up, I fixed it now! Good catch on the external IdP, > I changed the wording to "Knox needs to have a clear line of sight to the > IdP." The previous choice of words was confusing. > Thank you for taking a look and looking forward to your feedback. > > > On Mon, Feb 12, 2024 at 7:30 PM larry mccay <lmc...@apache.org> wrote: > > > Very interesting, @Sandeep More <moresand...@gmail.com> - thank you for > > this! > > > > Looks like there is a missing UC2. > > I also note a comment that a clear line of sight is required - I may need > > more information on that but need to read it greater detail. > > Look forward to reading it closely! > > > > thanks > > > > --larry > > > > On Fri, Feb 9, 2024 at 3:39 PM Sandeep Moré <moresand...@gmail.com> > wrote: > > > > > Hello Folks, > > > With workloads moving towards Kubernetes we should think about using > Knox > > > for authentication and authorization in Kubernetes. > > > > > > I created a design document (KIP) which includes design and usecases I > > can > > > think of: > > > > > > > > > https://cwiki.apache.org/confluence/display/KNOX/KIP-16+Knox+as+External+Authorizer+in+Kubernetes > > > > > > I would love to know your thoughts, comments and critiques on this. > > > > > > Best, > > > Sandeep > > > > > >
