[
https://issues.apache.org/jira/browse/KNOX-3273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-3273:
------------------------------
Description:
This change will extend the client credentials flow support to include the use
of
JWT tokens rather than long lived client_id and client_secret.
This is preferred for scenarios where short lived JWTs are readily available to
clients
such as Service Accounts within k8s clusters and projected JWT credentials.
Rather than using client_id and client_secret as bearer or HTTP basic
credentials,
we will use the client_assertion param based on the client_assertion_type of
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
POST /token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT
scope=openid profile email
was:
This change will extend the client credentials flow support to include the use
of
JWT tokens rather than long lived client_id and client_secret.
This is preferred for scenarios where short lived JWTs are readily available to
clients
such as Service Accounts within k8s clusters and projected JWT credentials.
Rather than using client_id and client_secret as bearer or HTTP basic
credentials,
we will use the client_assertion header based on the client_assertion_type of
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
POST /token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT
scope=openid profile email
> Short Lived Tokens for Client Credential Flows
> ----------------------------------------------
>
> Key: KNOX-3273
> URL: https://issues.apache.org/jira/browse/KNOX-3273
> Project: Apache Knox
> Issue Type: Improvement
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 3.0.0
>
>
> This change will extend the client credentials flow support to include the
> use of
> JWT tokens rather than long lived client_id and client_secret.
> This is preferred for scenarios where short lived JWTs are readily available
> to clients
> such as Service Accounts within k8s clusters and projected JWT credentials.
> Rather than using client_id and client_secret as bearer or HTTP basic
> credentials,
> we will use the client_assertion param based on the client_assertion_type of
> "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
> POST /token.oauth2 HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> grant_type=client_credentials&
> client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
> client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT
> scope=openid profile email
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
