Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support specifying which token to use on external jwt signers #2681

Open
andrewpmartinez opened this issue Jan 23, 2025 · 0 comments
Open

Support specifying which token to use on external jwt signers #2681

andrewpmartinez opened this issue Jan 23, 2025 · 0 comments
Assignees
@andrewpmartinez
Labels
enhancement New feature or request

Comments

@andrewpmartinez
Copy link
Member

andrewpmartinez commented Jan 23, 2025
edited
Loading

For some IdPs (Google Public OIDC), their access tokens are not externally verifiable nor intended to be inspected. Therefore, the only token that can relied on is the ID token. In general, access tokens should be used, but when we cannot, sharing the ID token between Ziti SDK/Clients and Ziti controllers should be supported.

  • Support selecting which token to use via the Management API on create/update/patch
  • Support reporting which token to use via the Management API on list/detail
  • Support reporting which token to use via the Client API on list/detail
  • Token fields to be supported: ACCESS, ID
  • Default existing External JWT signers to ACCESS

Additional Information:

Another option is making the OpenZiti controller a relying party, allowing the configuration of a client_id/client_secret. However, it involves maintaining and defending against replay and novel attacks from separate user scopes, which increases the controller's attack surface with little benefit over using code flow + PKCE on the user device.
@andrewpmartinez andrewpmartinez added the enhancement New feature or request label Jan 23, 2025
@andrewpmartinez andrewpmartinez self-assigned this Jan 23, 2025
andrewpmartinez added a commit to openziti/edge-api that referenced this issue Jan 23, 2025
@andrewpmartinez
addresses openziti/ziti#2681 add target token type
b70287a
andrewpmartinez added a commit that referenced this issue Jan 23, 2025
@andrewpmartinez
fixes #2681 adds targetToken support for ext jwt signers
8de27e4 
- adds targetToken of values ACCESS, ID for management API CRUD
- adds targetToken to client API reads
- adds --target-token to external jwt signers CLI
- updates/adds tests
andrewpmartinez added a commit that referenced this issue Jan 23, 2025
@andrewpmartinez
fixes #2681 adds targetToken support for ext jwt signers
fce9939 
- adds targetToken of values ACCESS, ID for management API CRUD
- adds targetToken to client API reads
- adds --target-token to external jwt signers CLI
- updates/adds tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewpmartinez andrewpmartinez

Labels
enhancement New feature or request
Projects
Security/IdP Features & Capabilities
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewpmartinez