@techreport{ietf-wimse-workload-identity-practices-01,
    number =    {draft-ietf-wimse-workload-identity-practices-01},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-practices/01/},
    author =    {Arndt Schwenkschuster and Benedikt Hofmann and Hannes Tschofenig and Edoardo Giordano and Yaroslav Rosomakho},
    title =     {{Workload Identity Practices}},
    pagetotal = 24,
    year =      2025,
    month =     mar,
    day =       3,
    abstract =  {The use of the OAuth 2.0 framework in container orchestration systems poses challenges, particularly in managing credentials such as client\_id and client\_secret, which can be complex and prone to errors. To address this, the industry has shifted towards a federation-based approach where credentials of the underlying workload platform are used as assertions towards an OAuth authorization server, leveraging the Assertion Framework for OAuth 2.0 Client Authentication {[}RFC7521{]}, specifically {[}RFC7523{]}. This specification describes a meta flow in Section 3.1, gives security recommendations in Section 4 and outlines concrete patterns in Appendix A. It referes to existing industry practices that are mainly built on top of OAuth. It may not be in line with the (currently work in progress) WIMSE architecture {[}I-D.ietf-wimse-arch{]} and other protocols, such as {[}I-D.ietf-wimse-s2s-protocol{]}.},
}