#9156 ipa-otpd: implement OAuth 2.0 token exchange support
Opened 2 years ago by abbra. Modified 2 years ago

RFC 8693 defines a concept of a Security Token Service (STS) that is capable of validating security tokens provided to it and issue new security tokens in response. If an IdP supports RFC 8693, it may be used to request a security token by IPA external IdP OAuth 2.0 client and use it to verify user identity based on the security token of provided by a different OAuth 2.0 applicatiion.

This can be used to allow IPA KDC to issue Kerberos tickets for those OAuth 2.0 applications that want to operate on behalf of a user who they already logged in with the help of OAuth 2.0 authorization framework. While these applications could have used a combination of S4U2Self and S4U2Proxy to perform protocol transition on behalf of the user, there are cases where a user needs to transition to own TGT directly rather than to a service ticket. These cases include situations where an authentication indicators are used to limit access to other services. S4U2Self would not be able to transition to a service ticket with the right (idp) authentication indicator.

Implementation of this feature would require a corresponding support in SSSD's Kerberos pre-authentication module (sssd-idp package).

On IPA side ipa-otpd may be completely transparent and all the logic could be moved to oidc_child. E.g. whatever state is passed from the KDC as a part of the RADIUS packet, pass it throguh to oidc_child and let it to differentiate types of state information passed by the idp modules.


Login to comment on this ticket.

Metadata