Larry McCay created KNOX-3285:
---------------------------------
Summary: Add Support for OBO OAuth Flows to Knox
Key: KNOX-3285
URL: https://issues.apache.org/jira/browse/KNOX-3285
Project: Apache Knox
Issue Type: Improvement
Components: JWT
Reporter: Larry McCay
Assignee: Larry McCay
Attachments: image-2026-03-23-19-01-13-904.png
The On-Behalf-Of (OBO) flow enables middle-tier services to leverage Apache
Knox to call downstream services while preserving the original user's identity
and permissions. This document defines the contract that services and
applications must follow to participate in OBO flows.
*Key Points:*
* Middle-tier services exchange incoming user tokens for new tokens to call
downstream APIs
* User identity and permissions are preserved throughout the call chain
* Services must register as Knox clients and obtain client credentials
* OBO tokens are short-lived and do not include refresh tokens
*What is the On-Behalf-Of Flow?*
The OBO flow is an OAuth 2.0 extension that allows a service to act on behalf
of a user when calling other services.
*Flow Diagram*
!image-2026-03-23-19-01-13-904.png!
*Key Characteristics*
* User Identity Preservation: The downstream token carries the original user's
identity, not the service's identity
* Delegated Permissions: Services receive tokens with delegated permissions
(scopes), not application-level permissions
* Service Authentication: The middle-tier service must authenticate itself when
requesting OBO tokens
* Token Chaining: Each service in the chain can use OBO to call the next service
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
