Shikugawa
commented
2 years ago @incfly I think it is worth doing. Should we include this in the next release plan?
Open t-indumathy opened 2 years ago
Shikugawa
commented
2 years ago @incfly I think it is worth doing. Should we include this in the next release plan?
incfly
commented
2 years ago Reading the RFC, private_key_jwt would require the client to register a public key to the identity provider. The later on token endpoint requests to the IdP then can be authenticated with client (authservice) signing a JWT.
There'll be definitely use case for this. But just like every feature request, I'd like us to wait a bit, seeing whether there'll be more +1/data points from others saying they need this as well; and why it has to be private_key_jwt, another other client authn scheme.
Side note for the next release and upcoming work, I think we should first prioritize the E2E testing, troubleshooting, docs (adding helm chart to the release) stuff. For example, ensure every PR would work with Istio 1.xx releases E2E without having to manually verify via installation.
Feature Description
Support for client_assertion via _private_keyjwt or _client_secretjwt in OIDC auth, with _client_assertiontype as "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
Alternatives Considered
No alternatives. The current approach only supports _clientsecret either in the form of basic auth or in the payload
Additional Context
https://openid.net/specs/openid-connect-core-1_0.html#:~:text=per%20%5BOAuth.JWT%5D.-,private_key_jwt,-Clients%20that%20have