On Tue, Dec 09, 2025 at 01:18:43PM -0800, Jacob Champion wrote: > [...] What do you think of
https://datatracker.ietf.org/doc/id/draft-williams-http-bearer-extension.txt ? Yes, it's HTTP-specific, but somee of that might be useful here. Also, what do you think of a GSS-API mechanism that supports JWT for client auth? I've a design in mind where if you ask for no security services in gss_init_sec_context()'s req_flags then you get a singular context token and it's just the JWT, and otherwise you get TLS 1.3 handshake messages as GSS tokens w/ ALPN to identify this as a GSS mech and the JWT as 0-rtt data or piggybacked (encrypteed either way) onto the client final, w/ TLS exporter for keying Kerberos per-message tokens. This would allow PG to support JWT via GSS-API. Look ma'! no changes! On the client/initiator side I'd have the client fetch a token as needed from the local, configured STS, and do something like Kerberos referrals (HTTP redirects) for "cross-realm" stuff if needed. Nico --
