I just wanted to make people on this thread aware of the related IETF
WIMSE (https://datatracker.ietf.org/group/wimse/about/) work, as well as
note SPIFFE issue #315 (https://github.com/spiffe/spiffe/issues/315) as
being pieces of related work to profile JWTs to work with SPIFFE/SPIRE.
Regards, John
El 02/13/25 a las 07:59, Erin Shepherd escribió:
So I’ve been thinking of similar
On 13 Feb 2025, at 01:24, Dmitry Telegin <dmit...@backbase.com> wrote:
(Background: exploring the possibility of using SPIFFE as client
authentication mechanism at the Transaction Token service.)
JWT-SVIDs, defined in SPIFFE, are regular JWTs, though with some
peculiarities:
* the "sub", "aud" and "exp" claims are mandatory;
* the "iss" claim is optional (but would be normally added by SPIRE);
* the "sub" claim must be set to the workload's SPIFFE ID;
* the issuer of the JWT-SVID is the SPIRE server and not the workload;
the workload only controls the acquisition and presentation aspects.
Question 1. Is the use of JWT-SVIDs for client authentication (as a
client_assertion) compliant with RFC7523(bis)?
I don’t see why not. RFC7523 isn’t particularly prescriptive on the
exact claim set of the JWT.
Question 2. If so, what would be the best approach to registering such
clients with the AS (TTS)? Static registration doesn't work very well
because of the SPIFFE's dynamic nature. DCR could be problematic
because for JWT-based client auth mechanisms we only have
"private_key_jwt" and "client_secret_jwt" (and JWT-SVIDs are neither).
Should the AS/TTS perform some sort of automatic client registration
when it first encounters a JWT-SVID signed by a trusted issuer?
That’s your big question. I see two options:
1. Accept “spiffe:” as a client ID prefix per draft-parecki-oauth-
client-id-scheme <https://datatracker.ietf.org/doc/draft-parecki-oauth-
client-id-scheme/>. You’d still need to solve the metadata question
2. Define a “svid_jwt” client auth method and a “spiffe_id” metadata
property that the client would provide during registration. The client
still needs to register itself (or be manually registered, or have
something register it on behalf…) and know its client ID.
2a. Do the above and augment dynamic client registration so the client
can maintain and fetch its own registration with just a SVID JWT (or
SVID x.509 MTLS certificate?)
(I could see something like 2a based upon JWT credentials the client has
from elsewhere being generically useful, not necessarily tied directly
to SPIFFE).
- Erin
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
--
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudo...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
