Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Finalizer supporting OAuth 2.0 Token Exchange (RFC 8693) #1188

Open
2 of 3 tasks
dadrus opened this issue Feb 15, 2024 · 1 comment
Open
2 of 3 tasks

Finalizer supporting OAuth 2.0 Token Exchange (RFC 8693) #1188

dadrus opened this issue Feb 15, 2024 · 1 comment
Labels
feature Used for new features
Milestone

Comments

@dadrus
Copy link
Owner

dadrus commented Feb 15, 2024

Preflight checklist

Describe the background of your feature request

One of the options to pass the information about the authenticated and authorized subject to the upstream service availablel today is a built-in Security Token Service (STS), implemented by the jwt finalizer.

It allows exchanging any authentication information used by the client (tokens, cookies, etc) for a highly customizable JWT that the heimdall instance itself signs and provides the keys via the jwks endpoint to verify. Even that approach is useful for implementing edge-level access control architecture, it leads to transparency loss in the identity management flow as heimdall becomes a token issuer authority, which might be challenging or even unwanted in particular setups.

Describe your idea

To still have the above written functionality without heimdall being a central actor in the identity management flow, a new finalizer supporting the OAuth 2.0 Token Exchange protocol (RFC 8693) would be helpful. The finalizer type could be named e.g. oauth2_token_exchange.

Pros & Cons to be considered:

  • By making use of the OAuth 2.0 Token Exchange protocol, flexibility supported by the jwt finalizer (ability to define claims that end up in the new token) will be lost to some degree.
  • New tokens can be issued via a standard protocol established for that purpose.
  • That new finalizer can most probably only be used in combination with authenticators acting on OAuth2/OIDC protocol.
  • Hemdall is not a central actor in the identity management flow any more

Are there any workarounds or alternatives?

No

Version

v0.13.0-alpha

Additional Context

No response

@dadrus dadrus added the feature Used for new features label Feb 15, 2024
@dadrus dadrus added this to the Future milestone Feb 15, 2024
@dadrus dadrus changed the title Support for OAuth 2.0 Token Exchange (RFC 8693) finalizer Finalizer supporting OAuth 2.0 Token Exchange (RFC 8693) Feb 15, 2024
@dadrus
Copy link
Owner Author

dadrus commented Sep 3, 2024

There is an RFC draft for so called transactional tokens which closes the first con written in the description as contextual information can be passed down to the new token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature Used for new features
Projects
None yet
Development

No branches or pull requests

1 participant