You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the underlying problem you're trying to solve?
We would like to add support for Azure Key vault keys to sign the client assertions used in OAuth2 Client Credentials JWT authentication. The current implementation signs the assertions using the signing_key.private_key or AWS KMS specified in the configuration. There is some config for managed Azure managed identities, but would be nice to use key vault to sign client assertions for use for other Identity Providers.
Azure Key vault allows to sign data using the signing API. The path needs references to the key vault in question, key reference and key version. The request body needs alg and value. This will make it easier to secure OPA with the help of key vault.
The KMS solution is similar and it doesn't seem too hard to expand upon it. We could look at implementing this ourselves. Haven't worked in Azure in a while, so I could be missing something here.
The text was updated successfully, but these errors were encountered:
What is the underlying problem you're trying to solve?
We would like to add support for Azure Key vault keys to sign the client assertions used in OAuth2 Client Credentials JWT authentication. The current implementation signs the assertions using the
signing_key.private_keyor AWS KMS specified in the configuration. There is some config for managed Azure managed identities, but would be nice to use key vault to sign client assertions for use for other Identity Providers.Azure Key vault allows to sign data using the signing API. The path needs references to the key vault in question, key reference and key version. The request body needs alg and value. This will make it easier to secure OPA with the help of key vault.
Describe the ideal solution
we could probably reuse a lot of the KMS signing feature: https://github.com/open-policy-agent/opa/pull/5942/files and refactor what API it calls to sign the value.
Additional Context
The KMS solution is similar and it doesn't seem too hard to expand upon it. We could look at implementing this ourselves. Haven't worked in Azure in a while, so I could be missing something here.
The text was updated successfully, but these errors were encountered: