Larry McCay created KNOX-3273:
---------------------------------
Summary: Short Lived Tokens for Client Credential Flows
Key: KNOX-3273
URL: https://issues.apache.org/jira/browse/KNOX-3273
Project: Apache Knox
Issue Type: Improvement
Components: JWT
Reporter: Larry McCay
Assignee: Larry McCay
Fix For: 3.0.0
This change will extend the client credentials flow support to include the use
of
JWT tokens rather than long lived client_id and client_secret.
This is preferred for scenarios where short lived JWTs are readily available to
clients
such as Service Accounts within k8s clusters and projected JWT credentials.
Rather than using client_id and client_secret as bearer or HTTP basic
credentials,
we will use the client_assertion header based on the client_assertion_type of
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
POST /token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT
scope=openid profile email
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
