%% You should probably cite draft-ietf-wimse-workload-identity-practices instead of this I-D. @techreport{ietf-wimse-workload-identity-bcp-02, number = {draft-ietf-wimse-workload-identity-bcp-02}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/02/}, author = {Benedikt Hofmann and Hannes Tschofenig and Edoardo Giordano and Yaroslav Rosomakho and Arndt Schwenkschuster}, title = {{OAuth 2.0 Client Assertion in Workload Environments}}, pagetotal = 19, year = 2024, month = nov, day = 13, abstract = {The use of the OAuth 2.0 framework for container orchestration systems poses a challenge as managing secrets, such as client\_id and client\_secret, can be complex and error-prone. Instead of manual provisioning these credentials the industry has moved to a federation-based approach where credentials of the underlying workload platform are used as assertions towards an OAuth authorization server leveraging the Client Assertion Flow {[}RFC7521{]}, in particular {[}RFC7523{]}. This specification describes a meta flow in Section 3.1, gives security recommendations in Section 4 and outlines concrete patterns in Appendix A.}, }