[jira] [Commented] (KNOX-3285) Add Support for OBO OAuth Flows to Knox

Thu, 16 Apr 2026 09:42:51 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-3285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18074046#comment-18074046
 ] 

Larry McCay commented on KNOX-3285:
-----------------------------------

FYI - This work is going to move away from the non-standard OBO implementation 
details to a standards based combination of sub and act and token exchanges, 
etc.

> Add Support for OBO OAuth Flows to Knox
> ---------------------------------------
>
>                 Key: KNOX-3285
>                 URL: https://issues.apache.org/jira/browse/KNOX-3285
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: JWT
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>         Attachments: image-2026-03-23-19-01-13-904.png
>
>
> The On-Behalf-Of (OBO) flow enables middle-tier services to leverage Apache 
> Knox to call downstream services while preserving the original user's 
> identity and permissions. This document defines the contract that services 
> and applications must follow to participate in OBO flows.
> *Key Points:*
> * Middle-tier services exchange incoming user tokens for new tokens to call 
> downstream APIs
> * User identity and permissions are preserved throughout the call chain
> * Services must register as Knox clients and obtain client credentials
> * OBO tokens are short-lived and do not include refresh tokens
> *What is the On-Behalf-Of Flow?*
> The OBO flow is an OAuth 2.0 extension that allows a service to act on behalf 
> of a user when calling other services.
> *Flow Diagram*
> !image-2026-03-23-19-01-13-904.png!
>  
> *Key Characteristics*
> * User Identity Preservation: The downstream token carries the original 
> user's identity, not the service's identity
> * Delegated Permissions: Services receive tokens with delegated permissions 
> (scopes), not application-level permissions
> * Service Authentication: The middle-tier service must authenticate itself 
> when requesting OBO tokens
> * Token Chaining: Each service in the chain can use OBO to call the next 
> service



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to