New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: embedded STS #3529
feat: embedded STS #3529
Conversation
...-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IatpDefaultServicesExtension.java
Outdated
Show resolved
Hide resolved
...-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IatpDefaultServicesExtension.java
Show resolved
Hide resolved
...src/main/java/org/eclipse/edc/iam/identitytrust/sts/embedded/EmbeddedSecureTokenService.java
Show resolved
Hide resolved
...src/main/java/org/eclipse/edc/iam/identitytrust/sts/embedded/EmbeddedSecureTokenService.java
Outdated
Show resolved
Hide resolved
572482c
to
fe96ce6
Compare
Codecov ReportAttention:
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #3529 +/- ##
==========================================
+ Coverage 72.21% 72.31% +0.10%
==========================================
Files 853 864 +11
Lines 17162 17355 +193
Branches 965 987 +22
==========================================
+ Hits 12394 12551 +157
- Misses 4359 4393 +34
- Partials 409 411 +2
☔ View full report in Codecov by Sentry. |
e052410
to
c143498
Compare
c143498
to
3806330
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, mostly minor nits
...-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IatpDefaultServicesExtension.java
Outdated
Show resolved
Hide resolved
...connector-core/src/main/java/org/eclipse/edc/connector/core/security/KeyPairFactoryImpl.java
Show resolved
Hide resolved
...y-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/IdentityAndTrustService.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/eclipse/edc/iam/identitytrust/sts/embedded/EmbeddedSecureTokenService.java
Show resolved
Hide resolved
...d/src/main/java/org/eclipse/edc/iam/identitytrust/sts/embedded/SelfIssuedTokenDecorator.java
Outdated
Show resolved
Hide resolved
...d/src/main/java/org/eclipse/edc/iam/identitytrust/sts/embedded/SelfIssuedTokenDecorator.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two small changes in the comments.
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/security/KeyPairFactory.java
Outdated
Show resolved
Hide resolved
...-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/IatpDefaultServicesExtension.java
Outdated
Show resolved
Hide resolved
…/KeyPairFactory.java Co-authored-by: Jim Marino <jim.marino@gmail.com>
…ain/java/org/eclipse/edc/iam/identitytrust/core/IatpDefaultServicesExtension.java Co-authored-by: Jim Marino <jim.marino@gmail.com>
What this PR changes/adds
Implements STS (Secure Token Service) embedded
The
EmbeddesSecureTokenService
creates the Self-Issued ID token from the input claims by using aTokenGenerationService
. If the parambearerAccessScope
is provide it will also automatically attach theaccess_token
claim which is anotherJwt
token containing the provided scopes (Credential Service Access).The Self-Issued ID format is compliant with the spec here.
For the
access_token
the format is still aJWT
similar to the Self-Issued ID one but the:scope
claim that contains thebearerAccessScope
for theCredential Service
access.iss
claim is the same as the Self-Issuedaud
is theiss
of the Self-Issued tokensub
is theaud
of the Self-Issued tokenThe the same private key it's used for signing the Self-Issued ID token and the Access token.
Why it does that
IATP adoption
Further notes
The
ConsumerPullKeyPairFactory
as been refactored by extracting theKeyPairFactory
spi and movingKeyPairFactoryImpl
intoconnector-core
, so it can be reused by theiatp
andTransferDataPlaneCoreExtension
.Linked Issue(s)
Closes #3500