lmccay opened a new pull request, #1171: URL: https://github.com/apache/knox/pull/1171
[KNOX-3273](https://issues.apache.org/jira/browse/KNOX-3273) - Short Lived Tokens for Client Credentials Flow ## What changes were proposed in this pull request? This change will extend the client credentials flow support to include the use of JWT tokens rather than long lived client_id and client_secret. This is preferred for scenarios where short lived JWTs are readily available to clients such as Service Accounts within k8s clusters and projected JWT credentials. Rather than using client_id and client_secret as bearer or HTTP basic credentials, we will use the client_assertion param based on the client_assertion_type of "urn:ietf:params:oauth:client-assertion-type:jwt-bearer". ``` POST /token.oauth2 HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=client_credentials& client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT scope=openid profile email ``` ## How was this patch tested? Existing and new unit tests were run and written. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
