Open
Conversation
Contributor
|
Thanks for the proposal. I can see the need for StsCredentialsOptions in the internal implementation of the Auth library, but I would expect that the API we would expose to gRPC applications would be of the form : StsCredentials mySTScreds = You can imagine replacing "ALTS" with other creds types that are relevant. |
chwarr
reviewed
May 30, 2019
L50-cpp-sts-creds-api.md
Outdated
|
|
||
| ## Background | ||
|
|
||
| [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16) is the proposed standard for exchanging tokens, for scenarios where a client needs to access a resource that does not natively accept the credentials created by the authentication system used by the client. In these settings, enabling credential exchange can provide better security: Otherwise, the client needs to acquire a different set of credentials to access the resource, and the new credentials must be managed securely. |
Contributor
There was a problem hiding this comment.
Consider using reference-style links to minimize duplication of the addresses:
[OAuth 2.0 Token Exchange][oauth-token-exchange] is the proposed...
[oauth-token-exchange]: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
L50-cpp-sts-creds-api.md
Outdated
|
|
||
| ## Background | ||
|
|
||
| [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16) is the proposed standard for exchanging tokens, for scenarios where a client needs to access a resource that does not natively accept the credentials created by the authentication system used by the client. In these settings, enabling credential exchange can provide better security: Otherwise, the client needs to acquire a different set of credentials to access the resource, and the new credentials must be managed securely. |
Contributor
There was a problem hiding this comment.
Minor: Remove the comma in " ...exchanging tokens, for scenarios ..."?
L50-cpp-sts-creds-api.md
Outdated
|
|
||
| [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16) is the proposed standard for exchanging tokens, for scenarios where a client needs to access a resource that does not natively accept the credentials created by the authentication system used by the client. In these settings, enabling credential exchange can provide better security: Otherwise, the client needs to acquire a different set of credentials to access the resource, and the new credentials must be managed securely. | ||
|
|
||
| For instance, Kubernetes workloads can securely obtain credentials from their platform, and they can use these to authenticate to other entities in the cluster, or to the Kubernetes API itself. However, if a Kubernetes workload requires access to a cloud provider's API, it needs a separate set of secrets, and a way to deploy these secrets securely. With credential exchange this is no longer necessary: The workload credential can be directly exchanged for a short-lived token for the cloud API. We expect this type of interaction to become a best practice, as it eliminates a number of problematic patterns, such as secrets checked into code repos, or stored in improperly ACL'ed files. |
Contributor
There was a problem hiding this comment.
Minor: Remove the comma in "cluster, or to the Kubernetes API itself."?
L50-cpp-sts-creds-api.md
Outdated
| * Status: Draft | ||
| * Implemented in: core, cpp | ||
| * Last updated: May 20, 2019 | ||
| * Discussion at: <google group thread> (filled after thread exists) |
Contributor
There was a problem hiding this comment.
Is there a thread for this yet? Can you start one?
Author
There was a problem hiding this comment.
Just did:
https://groups.google.com/forum/#!topic/grpc-io/Bam9eLaI62Q
Thanks for the reminder!
L50-cpp-sts-creds-api.md
Outdated
|
|
||
| [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16) is the proposed standard for exchanging tokens, for scenarios where a client needs to access a resource that does not natively accept the credentials created by the authentication system used by the client. In these settings, enabling credential exchange can provide better security: Otherwise, the client needs to acquire a different set of credentials to access the resource, and the new credentials must be managed securely. | ||
|
|
||
| For instance, Kubernetes workloads can securely obtain credentials from their platform, and they can use these to authenticate to other entities in the cluster, or to the Kubernetes API itself. However, if a Kubernetes workload requires access to a cloud provider's API, it needs a separate set of secrets, and a way to deploy these secrets securely. With credential exchange this is no longer necessary: The workload credential can be directly exchanged for a short-lived token for the cloud API. We expect this type of interaction to become a best practice, as it eliminates a number of problematic patterns, such as secrets checked into code repos, or stored in improperly ACL'ed files. |
Contributor
There was a problem hiding this comment.
Minor: Remove the comma in "set of secrets, and a way to deploy"?
L50-cpp-sts-creds-api.md
Outdated
|
|
||
| [OAuth 2.0 Token Exchange](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16) is the proposed standard for exchanging tokens, for scenarios where a client needs to access a resource that does not natively accept the credentials created by the authentication system used by the client. In these settings, enabling credential exchange can provide better security: Otherwise, the client needs to acquire a different set of credentials to access the resource, and the new credentials must be managed securely. | ||
|
|
||
| For instance, Kubernetes workloads can securely obtain credentials from their platform, and they can use these to authenticate to other entities in the cluster, or to the Kubernetes API itself. However, if a Kubernetes workload requires access to a cloud provider's API, it needs a separate set of secrets, and a way to deploy these secrets securely. With credential exchange this is no longer necessary: The workload credential can be directly exchanged for a short-lived token for the cloud API. We expect this type of interaction to become a best practice, as it eliminates a number of problematic patterns, such as secrets checked into code repos, or stored in improperly ACL'ed files. |
Contributor
There was a problem hiding this comment.
Minor: Remove the comma in "code repos, or stored"?
added 2 commits
May 30, 2019 15:27
- Also changing the numbering to L51 as opposed to L50 since there's already a PR with an L51 proposal.
Author
|
@a11r Do you want me to reply on this PR or on the https://groups.google.com/forum/#!topic/grpc-io/Bam9eLaI62Q thread? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.