strimzi-kafka-oauth
strimzi-kafka-oauth copied to clipboard
strimzi
Feature: Oauth JWT authentication support / AAD workload federation
We would like to have support for jwt auth support. https://datatracker.ietf.org/doc/html/rfc7523#section-2.2 urn:ietf:params:oauth:client-assertion-type:jwt-bearer
Our use case is that we use Azure AD (AAD) as our IDP. We use k8s as our runtime platform. We would like to go credential-less, so have the platform inject session credentials and do not use permanent credentials. For other means we use: https://azure.github.io/azure-workload-identity/docs/
K8s can use https://kubernetes.io/docs/concepts/storage/projected-volumes/ to inject a jwt token into the pod. The k8s platform is responsible for ensuring a valid token is present on the filesystem at any time and thus will refresh the token. When only running in a single k8s cluster with broker and all clients in the same cluster a function that would allow the token to be fetched from file would be sufficient.
Our enterprise is larger, clients span more cluster / runtime environments. For this reason we use AAD workload federation where we can federate multiple k8s cluster into one single trusted IDP.
What we need is a function that will do a client credential grant on a IDP where it uses a jwt token a authentication. (https://datatracker.ietf.org/doc/html/rfc7523#section-2.2). The source of this token can ofcourse differ but for our case we need the token to come from the filesystem.
We can provide a PR for this but would like to discuss naming etc with you to get a common understanding
Seems like you already have an idea how you would like the configuration to look like and how the execution flow would go differently compared to configuring the client credentials or the access token.
Maybe you could describe your proposal in those terms (configuration, execution flow) so it's easier to discuss.
How about I'll make a quick PR to show the desired additional behavior and we'll take it from there?
