search

permitio / opal

Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...)
https://opal.ac
Apache License 2.0
5.14k stars 180 forks source link

Add support of external issued JWTs for client - server communication #539

Open kirillmakhonin-brt opened 10 months ago

kirillmakhonin-brt commented 10 months ago

Is your feature request related to a problem? Please describe. In organizations with established authentication infrastructure it would be beneficial to have an ability to use external systems to issue JWT tokens (e.g. GCP's JWT tokens) and configure server to trust such identites. It will eliminate the need to manage & maintain master token and handle all proper security technics around it (rotation etc)

Describe the solution you'd like Ability to pass JWKS endpoint (external to OPAL server) and (optionally) name of Python module & function that should be used for additional validation of token (e.g. specific scope requirement).

Ability to pass name of Python module & function / url / file path (file or callable) to OPAL client that can be used to get a fresh auth token

Describe alternatives you've considered Implementing this in a proxy server in front of OPAL server

orweis commented 10 months ago

Hi @kirillmakhonin-brt :) Thanks for submitting, we will review and consider. Would you be open to also submitting a PR ?