Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

coexistence with bearer tokens #84

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

coexistence with bearer tokens #84

wants to merge 1 commit into from

Conversation

jsalowey
Copy link
Collaborator

Resolve with Issue #53

@jsalowey jsalowey linked an issue Dec 23, 2024 that may be closed by this pull request
Use of WIT without proof of possession and interop with legacy systems #53
Open
yaronf
yaronf requested changes Dec 23, 2024
View reviewed changes
draft-ietf-wimse-s2s-protocol.md
The WIT and WPT define new HTTP headers. They can therefore be presented along with existing headers used for JWT bearer tokens. This
property allows for transition from mechanisms using identity tokens based on bearer JWTs to proof of possession based WITs.
A workload may implement a policy that accepts both bearer tokens and WITs during a transition period. This policy may be configurable
per-caller to allow the workload reject bearer tokens from callers that support WITs. Once a deployment fully supports WITs, then the use of
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
per-caller to allow the workload reject bearer tokens from callers that support WITs. Once a deployment fully supports WITs, then the use of
per-caller to allow the workload to reject bearer tokens from callers that support WITs. Once a deployment fully supports WITs, then the use of

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest to add: Implementations should be careful when implementing such a transition strategy, since the decision which token to prefer is made when the caller's identity has still not been authenticated, and needs to be revalidated following the authentication step.

draft-ietf-wimse-s2s-protocol.md
authorization policy may take into account both the sending workload's identity and the information in the context token. For example, the
identity in the WIT may be used to establish which API calls can be made and information in the context token may be used to determine
which specific resources can be accessed.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is OK for now, but I think eventually we will want one subsection for coexistence with legacy stuff and another for authorization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaronf yaronf yaronf requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use of WIT without proof of possession and interop with legacy systems
3 participants
@jsalowey @yaronf @joe-venafi