Larry McCay created KNOX-3334:
---------------------------------
Summary: Introduce ActorChainPrincipal for RFC 8693 instead of
ImpersonatedPrincipal
Key: KNOX-3334
URL: https://issues.apache.org/jira/browse/KNOX-3334
Project: Apache Knox
Issue Type: Bug
Components: JWT
Reporter: Larry McCay
Assignee: Larry McCay
Fix For: 3.0.0
KNOX-3321 provided an initial implementation for 8693 and adding an 'act' claim
to the returned JWT based on the presence of the ImpersonatedPrincipal and
having delegated auth enabled on the KnoxToken service.
This falls short of what we need to support token exchanges that already
include an 'act' claim in the subject token. To support this properly, we need
the previous 'act' claim represented in the Java Subject with the full chain
represented. We will then add the next actor subclaim to the chain from within
the KnoxToken service, effectively continuing the chain as it flows through the
actors for the given request.
To support this, we should introduce a new principal called ActorChainPrincipal
which will have an extended interface to provide the list of 'act' claims
within the presented token for building out the chain in the new token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
