Improve JWT bearer usage - deprecate password grant #3285
Labels
expected behavior
The isuse or PR is related to a RFC or other standard
Comments
strehle
changed the title
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
10 tasks
strehle
added
the
expected behavior
strehle
moved this from Inbox
to Pending Review | Discussion
in Foundational Infrastructure Working Group
strehle
changed the title
This was referenced Feb 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why: password grant should be deprecated, because it is not part of newer OAuth or OIDC standards, e.g. https://oauth.net/2.1/
There is a RFC https://datatracker.ietf.org/doc/html/rfc9700#section-2.4 which states
The resource owner password credentials grant [[RFC6749](https://datatracker.ietf.org/doc/html/rfc6749)] MUST NOT be used.For user interactive login or principal propagation we support the passcode login a way to omit passwords. For pure technical usages there is token based authentication with private_key_jwt (or later mtls) in client_credentials flows.
However, there are mixed scenarios, where technical scenarios need a user. Github action is a good example but there could be other scenarios, typically business scenarios, where a user principal propagation should be supported, but there is no user interactive login.
JWT bearer and generic token exchange can solve the problem, but in CF is it not easy to adopt JWT bearer and for the generic token exchange we have no support yet, e.g. https://www.rfc-editor.org/rfc/rfc8693.html .
This issue should collect and solve the problem, step by step.
Request a RFC from CF TOC cloudfoundry/community#1085
The text was updated successfully, but these errors were encountered: