Preflight Checklist
Problem Description
It is useful for users connected via OIDC federation to be able to run Machine-to-Machine operations using their existing identity.
Proposed Solution
Add Personal Access Tokens to Dex that capture the Identity of the user whos tokens is used to create it, and their current granted scopes. The flow for it is roughly the same as a Refresh flow, in that it checks the UserIdentity, giving admins a path to remove the user, and creates a short lived token to use against the protected services. Users can manage their own PATs via exposed APIs, and admins should be able to revoke them, similar to offline sessions.
Alternatives Considered
The local connector is currently used for this, but the identity is different and requires admin access to manage, which is not that secure.
Additional Information
No response
Preflight Checklist
Problem Description
It is useful for users connected via OIDC federation to be able to run Machine-to-Machine operations using their existing identity.
Proposed Solution
Add Personal Access Tokens to Dex that capture the Identity of the user whos tokens is used to create it, and their current granted scopes. The flow for it is roughly the same as a Refresh flow, in that it checks the
UserIdentity, giving admins a path to remove the user, and creates a short lived token to use against the protected services. Users can manage their own PATs via exposed APIs, and admins should be able to revoke them, similar to offline sessions.Alternatives Considered
The
localconnector is currently used for this, but the identity is different and requires admin access to manage, which is not that secure.Additional Information
No response