OAuth 2.0 Client Assertion in Workload Environments
draft-ietf-wimse-workload-identity-bcp-02
| Document | Type |
Replaced Internet-Draft
(wimse WG)
Expired & archived
|
|
|---|---|---|---|
| Authors | Benedikt Hofmann , Hannes Tschofenig , Edoardo Giordano , Yaroslav Rosomakho , Arndt Schwenkschuster | ||
| Last updated | 2024-11-13 | ||
| Replaces | draft-hofmann-wimse-workload-identity-bcp | ||
| Replaced by | draft-ietf-wimse-workload-identity-practices | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Informational | ||
| Formats | |||
| Additional resources |
GitHub Organization
GitHub Repository Mailing list discussion |
||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Replaced by draft-ietf-wimse-workload-identity-practices | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
The use of the OAuth 2.0 framework for container orchestration systems poses a challenge as managing secrets, such as client_id and client_secret, can be complex and error-prone. Instead of manual provisioning these credentials the industry has moved to a federation-based approach where credentials of the underlying workload platform are used as assertions towards an OAuth authorization server leveraging the Client Assertion Flow [RFC7521], in particular [RFC7523]. This specification describes a meta flow in Section 3.1, gives security recommendations in Section 4 and outlines concrete patterns in Appendix A.
Authors
Benedikt Hofmann
Hannes Tschofenig
Edoardo Giordano
Yaroslav Rosomakho
Arndt Schwenkschuster
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)