Harrison Sheinblatt created KNOX-3349:
-----------------------------------------
Summary: Delegation Service extension for Knox IDF
Key: KNOX-3349
URL: https://issues.apache.org/jira/browse/KNOX-3349
Project: Apache Knox
Issue Type: New Feature
Components: JWT
Reporter: Harrison Sheinblatt
Assignee: Harrison Sheinblatt
Knox IDF
([https://cwiki.apache.org/confluence/display/KNOX/KIP-18+-+Knox+as+OIDC+Provider)]
includes support for OIDC Client Credentials and Authorization Code flows.
This proposed extension adds support for RFC 8693 token exchange flows with
delegation polices controlling authorization for subject-changing exchanges.
Initial use cases focus on delegation policies for confidential clients and
kubernetes service accounts. Other subject-changing exchanges without policies
defined would be disallowed. The new token would use act claim chaining to
track the agent identity. Token exchanges and delegation policy lifecycle
events would be audited.
This change also proposes to add a trusted OIDC issuer registry that allows
dynamic OIDC JWKS discovery for allowed trusted issuers. This will allow
dynamic addition of of trusted JWKS urls compliant with OIDC discovery and
without needing to reload any knox service. Initially it will be part of Knox
IDF, but it will be written to be portable so that when other use cases arise
it can be more easily shared.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
