Description

With FederatedJWTClientAuthenticator, the federated client ID might reflect the protocol-specific workload identity and therefore might be different from the client ID. Some emerging OAuth standards are making use of the workload identities established during client authentication; for example, Transaction Tokens require the req_wl claim to reflect the actual workload identity, in addition to the "classic" sub claim.

It would be nice to expose the federated client ID as a client auth attribute (ClientAuthenticationFlowContext::getClientAuthAttributes()). This way, it could be used by other components like mappers and token exchange providers.

Value Proposition

Improve interoperability with the emerging workload identity related OAuth standards like Transaction Tokens

Goals

—

Non-Goals

—

Discussion

No response

Notes

No response