oauth2 protected service to service communication using service account tokens from kubernetes

[sjvaiz]

I would like to use kubernetes service account tokens (JWTs) to exchange for access_tokens with Ory. Going through the documentation, I can imagine that it is possible to establish trust relationship between Ory and k8s OIDC discovery endpoint. I do not see in the documentation that shows such a use-case, however I do see that you can simply use private/public key pair to validate JWTs.

My questions is, did anyone try using k8s oidc discovery to exchange service account tokens for access_token and/or faced any challenges?

[vinckr]

Hey @sjvaiz

I havent tried this myself and the documentation does not contain specific information about using Kubernetes service account tokens to exchange for access tokens with Ory.

However, Ory does support the use of JWTs for OAuth 2.0 Grants, which allows a client to send a signed JWT token to an OpenID Connect Provider in exchange for an OAuth 2.0 access token read more here.
You can establish a trust relationship using the trustOAuth2JwtGrantIssuer function as shown here:

import { Configuration, OAuth2Api } from "@ory/client"  
  
const ory = new OAuth2Api(  
 new Configuration({  
 basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,  
 accessToken: process.env.ORY_API_KEY,  
 }),  
)  
  
export async function createTrustRelation(accessToken: string) {  
 const { data } = await ory.trustOAuth2JwtGrantIssuer({  
 trustOAuth2JwtGrantIssuer: {  
 // The "allow_any_subject" indicates that the issuer is allowed to have any principal as the subject of the JWT.  
 allow_any_subject: true,  
  
 // The "subject" identifies the principal that is the subject of the JWT. It must be unset if `allow_any_subject` is true.  
 subject: "some-subject-id",  
  
 // The "expires_at" indicates, when grant will expire, so we will reject assertion from "issuer" targeting "subject".  
 expires_at: "2021-04-23T18:25:43.511Z",  
 
 // The "issuer" identifies the principal that issued the JWT assertion (same as "iss" claim in JWT).  
 issuer: "https://example.org",  
  
 // The public key with which the JWT's signature can be verified (example)  
 jwk: {  
 alg: "RS256",  
 use: "sig",  
 kty: "RSA",  
 e: "AQAB",  
 kid: "d8e91f55-67e0-4e56-a066-6a5f0c2efdf7",