[jira] [Work logged] (KNOX-3273) Short Lived Tokens for Client Credential Flows

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3273?focusedWorklogId=1008438&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1008438
 ]

ASF GitHub Bot logged work on KNOX-3273:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Mar/26 23:04
            Start Date: 08/Mar/26 23:04
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request, #1171:
URL: https://github.com/apache/knox/pull/1171

   [KNOX-3273](https://issues.apache.org/jira/browse/KNOX-3273) - Short Lived 
Tokens for Client Credentials Flow
   
   ## What changes were proposed in this pull request?
   
   This change will extend the client credentials flow support to include the 
use of
   JWT tokens rather than long lived client_id and client_secret.
   
   This is preferred for scenarios where short lived JWTs are readily available 
to clients
   such as Service Accounts within k8s clusters and projected JWT credentials.
   
   Rather than using client_id and client_secret as bearer or HTTP basic 
credentials,
   we will use the client_assertion param based on the client_assertion_type of
   "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
   
   ```
   POST /token.oauth2 HTTP/1.1
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=client_credentials&
   client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
   client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT
   scope=openid profile email
   ```
   
   ## How was this patch tested?
   
   Existing and new unit tests were run and written.
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1008438)
    Remaining Estimate: 0h
            Time Spent: 10m

> Short Lived Tokens for Client Credential Flows
> ----------------------------------------------
>
>                 Key: KNOX-3273
>                 URL: https://issues.apache.org/jira/browse/KNOX-3273
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> This change will extend the client credentials flow support to include the 
> use of
> JWT tokens rather than long lived client_id and client_secret.
> This is preferred for scenarios where short lived JWTs are readily available 
> to clients
> such as Service Accounts within k8s clusters and projected JWT credentials.
> Rather than using client_id and client_secret as bearer or HTTP basic 
> credentials,
> we will use the client_assertion param based on the client_assertion_type of 
> "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
> POST /token.oauth2 HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> grant_type=client_credentials&
> client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
> client_assertion=eyJhbGciOiJSUzI1NiJ9...  <- K8s SA JWT
> scope=openid profile email



--
This message was sent by Atlassian Jira
(v8.20.10#820010)