On Mon, Sep 12, 2016 at 12:45 PM, Bill Burke <bburke(a)redhat.com> wrote:
Our access tokens are JWS's. Json Web Signatures that contain a
JWT.
This way if Client One gets an access token this token can be used to
invoke on Client Foo. Client Foo validates the JWS signature with the
realm's public key, if correct, allows the invocation. THis is so that
you don't have to have a hub/spoke authentication for every single REST
invocation.
Thanks Bill, that makes sense. I couldn't figure out why my KC
implementation worked OOTB with Kubernetes given there is no
REQUIREMENT that the access_token be a JWS (thanks for correcting me
that its a JWS not a JWT) yet simply passing the access_token to
Kubernetes works great. Turns out the design pattern you describe
above is the same pattern Kubernetes is using, its just not well
documented on their end. That closes the loop and explains
everything.
Thanks
Marc