I guess following scenario will be useful in a microservices deployment, when we need to secure service to service communication.
Please find below the steps.. 1. We create a service provider provider, and associate a CA's certificate with it. 2. Now we have multiple microservices, each with a signed certificate from the previous trusted CA. 3. Each of those microservice will be able to talk to the /token endpoint of IS (or STS), authenticate with mTLS and get a token. The token request also carries an audience value (or implied in scope). 4. IS treats, the thumbprint of the cert (preferably SVID, in a SPIFFE/Istio environment) as the client id, and the access token is issued against it (which can be a JWT as well). 5. This new access token/JWT can be used for service to service authentication, within the same domain or cross domain. This helps to onboard all the microservices, carrying a key pair (as their workload identity) to an OAuth environment. WDYT..? Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Blog: http://blog.facilelogin.com Vlog: http://vlog.facilelogin.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
