Open aaguiarz opened 2 months ago
it should be noted from the SPIFFE docs:
Being a bearer token, JWT-SVIDs are susceptible to replay attacks. By requiring that the aud and exp claims be set, this specification has taken steps to improve the situation, but is unable to solve it completely while retaining validation compatibility with [RFC 7515](https://tools.ietf.org/html/rfc7519). It is very important to understand this risk.
so really x.509 SVIDs specifically would be preferred if using SPIFFE. Using JWT SVIDs may not offer much better security than just the current OAuth capability.
Checklist
Describe the problem you'd like to have solved
Currently services are authenticated to OpenFGA using shared secrets or OAuth, but not SPIFFE
Describe the ideal solution
Provide a way to authenticate clients using SPIFFE
Alternatives and current workarounds
Use shared keys or OAuth for authorization
Additional context
-