Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Oauth JWT authentication support / AAD workload federation #164

Open
sander-su opened this issue Oct 11, 2022 · 5 comments
Open

Feature: Oauth JWT authentication support / AAD workload federation #164

sander-su opened this issue Oct 11, 2022 · 5 comments

Comments

@sander-su
Copy link

We would like to have support for jwt auth support.
https://datatracker.ietf.org/doc/html/rfc7523#section-2.2
urn:ietf:params:oauth:client-assertion-type:jwt-bearer

Our use case is that we use Azure AD (AAD) as our IDP.
We use k8s as our runtime platform.
We would like to go credential-less, so have the platform inject session credentials and do not use permanent credentials.
For other means we use:
https://azure.github.io/azure-workload-identity/docs/

K8s can use https://kubernetes.io/docs/concepts/storage/projected-volumes/ to inject a jwt token into the pod.
The k8s platform is responsible for ensuring a valid token is present on the filesystem at any time and thus will refresh the token.
When only running in a single k8s cluster with broker and all clients in the same cluster a function that would allow the token to be fetched from file would be sufficient.

Our enterprise is larger, clients span more cluster / runtime environments.
For this reason we use AAD workload federation where we can federate multiple k8s cluster into one single trusted IDP.

What we need is a function that will do a client credential grant on a IDP where it uses a jwt token a authentication. (https://datatracker.ietf.org/doc/html/rfc7523#section-2.2).
The source of this token can ofcourse differ but for our case we need the token to come from the filesystem.

We can provide a PR for this but would like to discuss naming etc with you to get a common understanding
@mstruk
Copy link
Contributor

mstruk commented Oct 11, 2022

Seems like you already have an idea how you would like the configuration to look like and how the execution flow would go differently compared to configuring the client credentials or the access token.

Maybe you could describe your proposal in those terms (configuration, execution flow) so it's easier to discuss.

@robbertvanwaveren
Copy link
Contributor

How about I'll make a quick PR to show the desired additional behavior and we'll take it from there?

@mstruk
Copy link
Contributor

mstruk commented Oct 11, 2022

Sounds good.

@robbertvanwaveren robbertvanwaveren mentioned this issue Oct 13, 2022
Closed
@robbertvanwaveren
Copy link
Contributor

see my PR.

@shinji
Copy link

shinji commented Oct 25, 2023

Greetings. Any progress related to this improvement?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shinji @mstruk @robbertvanwaveren @sander-su