Thanks for the considerations Larry. To answer your questions: 1) Yes. Delegation authorization will be limited to endpoints explicitly deployed for policy-based delegation exchanges and will not affect same-subject token exchanges. 2) There are deployment-specific nuances based on the token's type and authority. The system will be extensible to add kubernetes API token validation in the future, but initially it will use JWKS validation, no different than for other external authorities. It's meant to be extensible to handle authorization for identities from any external authority. I'll file more detailed jiras with more detailed design and task plans that can be reviewed.
Thank you also for the act claim references, I'll sync to ensure the delegation policy work includes usage of this feature. -Harrison On Mon, Jun 15, 2026 at 7:33 AM larry mccay <[email protected]> wrote: > Thanks for bringing this discussion to the list, Harrison! > > This sounds like a great extension to the KnoxIDF effort and that it aligns > with the direction of some other emerging Agentic Identity standards, most > notably AgentAuth. > When you say that token exchanges without policies will not be supported, I > assume you mean when token exchange is configured for delegation rule > enforcement and that we would still support plain token exchange for the > same subject in other topologies, for instance. > > The 'act' claim support has already been added to both the JWTProvider and > to the KnoxToken service via > https://issues.apache.org/jira/browse/KNOX-3321, > https://issues.apache.org/jira/browse/KNOX-3334 and > https://issues.apache.org/jira/browse/KNOX-3347 that should be ready to go > once we have KNOX-3347 in (shortly). > > For "kubernetes service accounts", I assume that you mean the SA projected > JWT and the use of the JWTProvider for the token exchange implementation > within KnoxIDF specific topologies. So, that isn't technically limited to > kubernetes in any meaningful way unless we add some k8s specific call to > the API Server or something. If we are verifying the token within > JWTProvider then we will just need to have line of sight to the OAuth > endpoints and jwks url in the k8s clusters. > > Provided that I have the above correct, here is my +1. > > On Sun, Jun 14, 2026 at 11:34 PM Harrison Sheinblatt < > [email protected]> wrote: > > > Hello, > > > > I’ve filed a feature request in > > https://issues.apache.org/jira/browse/KNOX-3349 with a high level > > description of the proposed feature. > > > > I’m interested in contributing to this feature in the KnoxIDF feature > > branch. > > > > Thank you, > > > > -Harrison Sheinblatt > > >
