[jira] [Work logged] (KNOX-3347) Introduce TokenExchangePrincipal for extending Act claim for token_exchange

Fri, 12 Jun 2026 15:07:06 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3347?focusedWorklogId=1025006&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025006
 ]

ASF GitHub Bot logged work on KNOX-3347:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Jun/26 22:06
            Start Date: 12/Jun/26 22:06
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request, #1262:
URL: https://github.com/apache/knox/pull/1262

   [KNOX-1234](https://issues.apache.org/jira/browse/KNOX-3347) - Introduce 
TokenExchangePrincipal for extending Act claim for token_exchange
   
   ## What changes were proposed in this pull request?
   
   Currently, the ActorChainPrincipal includes whatever act chain was in the 
Subject token from the token_exchange. The presence of the 
ImpersonatedPrincipal is currently only added by the identity assertion 
provider based on a doAs and proxyuser based impersonation. This is required 
for the new actor to be added to the nested 'act' claim.
   
   Let's add the use of the TokenExchangePrincipal by the identity assertion 
logic that sets the ImpersonatedPrincipal in addition to the doAs pattern.
   
   We also have to keep the existing principal mapping logic intact so that the 
token exchange reflects the mapped principal as appropriate even when not the 
principal requested in the token_exchange request.
   
   Also, be sure that the actor token is being properly validated.
   
   ## How was this patch tested?
   
   Existing tests run and new tests added.
   Manually tested as well.
   
   
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1025006)
    Remaining Estimate: 0h
            Time Spent: 10m

> Introduce TokenExchangePrincipal for extending Act claim for token_exchange
> ---------------------------------------------------------------------------
>
>                 Key: KNOX-3347
>                 URL: https://issues.apache.org/jira/browse/KNOX-3347
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: JWT
>            Reporter: Larry McCay
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, the ActorChainPrincipal includes whatever act chain was in the 
> Subject token from the token_exchange. The presence of the 
> ImpersonatedPrincipal is currently only added by the identity assertion 
> provider based on a doAs and proxyuser based impersonation. This is required 
> for the new actor to be added to the nested 'act' claim.
> Let's add not the use of the TokenExchangePrincipal to the identity assertion 
> logic that sets the ImpersonatedPrincipal in addition to the doAs pattern.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to