Skip to content

KNOX-3273 - Short Lived Tokens as Client Credentials#1171

Open
lmccay wants to merge 1 commit intoapache:masterfrom
lmccay:KNOX-3273
Open

KNOX-3273 - Short Lived Tokens as Client Credentials#1171
lmccay wants to merge 1 commit intoapache:masterfrom
lmccay:KNOX-3273

Conversation

@lmccay
Copy link
Contributor

@lmccay lmccay commented Mar 8, 2026

KNOX-3273 - Short Lived Tokens for Client Credentials Flow

What changes were proposed in this pull request?

This change will extend the client credentials flow support to include the use of
JWT tokens rather than long lived client_id and client_secret.

This is preferred for scenarios where short lived JWTs are readily available to clients
such as Service Accounts within k8s clusters and projected JWT credentials.

Rather than using client_id and client_secret as bearer or HTTP basic credentials,
we will use the client_assertion param based on the client_assertion_type of
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer".

POST /token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9... <- K8s SA JWT
scope=openid profile email

How was this patch tested?

Existing and new unit tests were run and written.

@github-actions
Copy link

github-actions bot commented Mar 8, 2026

Test Results

7 tests   7 ✅  1s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 596a71f.

@lmccay lmccay requested a review from smolnar82 March 9, 2026 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smolnar82 smolnar82 Awaiting requested review from smolnar82

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lmccay