Thanks for bringing this discussion to the list, Harrison! This sounds like a great extension to the KnoxIDF effort and that it aligns with the direction of some other emerging Agentic Identity standards, most notably AgentAuth. When you say that token exchanges without policies will not be supported, I assume you mean when token exchange is configured for delegation rule enforcement and that we would still support plain token exchange for the same subject in other topologies, for instance.
The 'act' claim support has already been added to both the JWTProvider and to the KnoxToken service via https://issues.apache.org/jira/browse/KNOX-3321, https://issues.apache.org/jira/browse/KNOX-3334 and https://issues.apache.org/jira/browse/KNOX-3347 that should be ready to go once we have KNOX-3347 in (shortly). For "kubernetes service accounts", I assume that you mean the SA projected JWT and the use of the JWTProvider for the token exchange implementation within KnoxIDF specific topologies. So, that isn't technically limited to kubernetes in any meaningful way unless we add some k8s specific call to the API Server or something. If we are verifying the token within JWTProvider then we will just need to have line of sight to the OAuth endpoints and jwks url in the k8s clusters. Provided that I have the above correct, here is my +1. On Sun, Jun 14, 2026 at 11:34 PM Harrison Sheinblatt < [email protected]> wrote: > Hello, > > I’ve filed a feature request in > https://issues.apache.org/jira/browse/KNOX-3349 with a high level > description of the proposed feature. > > I’m interested in contributing to this feature in the KnoxIDF feature > branch. > > Thank you, > > -Harrison Sheinblatt >
