search

apache / trafficserver

Apache Traffic Serverâ„¢ is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.
https://trafficserver.apache.org/
Apache License 2.0
1.8k stars 796 forks source link

access_control plugin with opaque tokens + client JWT assertion #9220

Open mst opened 1 year ago

mst commented 1 year ago

My use case is almost solved by the access_control plugin, but instead of having a JWT created by an Application/Origin, I have a client JWT assertion that contains e.g. sub. The Client only sends the JWT during authn and receives an opaque Access Token.

The flow is as follows (see also RFC7521, RFC7523):

  1. client creates a JWT using a client secret (contains sub)
  2. POST /auth on the Application with the JWT
  3. Application returns opaque Access Token
  4. GET /some-resource with the token

When the client requests the URL another time, the Access Token may have expired and it creates a new one. But the cache may be still hot enough. I wouldn't want the new token to cause a cache miss. Instead, the proxy should know which sub that Access Token was created with and add it to the cache key for lookup.

github-actions[bot] commented 9 months ago

This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.