Consolidate STS code #37021
Labels
area/security
lifecycle/automatically-closed
Indicates a PR or issue that has been closed automatically.
lifecycle/stale
Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Currently we have 2-3 partially overlapping STS usages in Istio. Would be good to consolidate these. Below captures my notes quickly running through these:
caclient/credentials:
calls TokenExchange (CA)
inline code for TokenManager.GenerateToken
TokenManager - STS -> response. GenerateToken
Can also get "metadata"
1 impl: stsservice/tokenmanager
tokenmanager.Plugin -> STS -> response. TokenManager just delegates to this
1 impl: google/tokenexchangeplugin
has a cache for access token (also for federated token, but its never actually used)
constructFederatedTokenRequest - token -> federated accesstoken (http req w/ retry)
access token - federated access token -> access token for gcp-sa-meshdataplane.iam.gserviceaccount.com:generateAccessToken
finally convets to StsResponseParameters format
TokenExchanger: token -> token
1 impl: providers/google/stsclient
create raw map (instead of StsRequestParameters)
http request to sts.googleapis.com/v1/token with retry
response into federatedTokenResponse
return AccessToken
Users:
So it seems the CA is a subset of XDS/STS Server
The text was updated successfully, but these errors were encountered: