-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Oauth JWT authentication support / AAD workload federation #164
Comments
Seems like you already have an idea how you would like the configuration to look like and how the execution flow would go differently compared to configuring the client credentials or the access token. Maybe you could describe your proposal in those terms (configuration, execution flow) so it's easier to discuss. |
How about I'll make a quick PR to show the desired additional behavior and we'll take it from there? |
Sounds good. |
see my PR. |
Greetings. Any progress related to this improvement? |
We would like to have support for jwt auth support.
https://datatracker.ietf.org/doc/html/rfc7523#section-2.2
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
Our use case is that we use Azure AD (AAD) as our IDP.
We use k8s as our runtime platform.
We would like to go credential-less, so have the platform inject session credentials and do not use permanent credentials.
For other means we use:
https://azure.github.io/azure-workload-identity/docs/
K8s can use https://kubernetes.io/docs/concepts/storage/projected-volumes/ to inject a jwt token into the pod.
The k8s platform is responsible for ensuring a valid token is present on the filesystem at any time and thus will refresh the token.
When only running in a single k8s cluster with broker and all clients in the same cluster a function that would allow the token to be fetched from file would be sufficient.
Our enterprise is larger, clients span more cluster / runtime environments.
For this reason we use AAD workload federation where we can federate multiple k8s cluster into one single trusted IDP.
What we need is a function that will do a client credential grant on a IDP where it uses a jwt token a authentication. (https://datatracker.ietf.org/doc/html/rfc7523#section-2.2).
The source of this token can ofcourse differ but for our case we need the token to come from the filesystem.
We can provide a PR for this but would like to discuss naming etc with you to get a common understanding
The text was updated successfully, but these errors were encountered: