A97: xDS JWT Call Credentials#492
Merged
Merged
Conversation
2 tasks
kyessenov
reviewed
May 13, 2025
kyessenov
left a comment
There was a problem hiding this comment.
I'll let @howardjohn confirm, but I think this covers Istio functionality. For a sidecar, the service account token is mounted as "istio-token" JWT with a different audience.
sergiitk
reviewed
May 13, 2025
|
Hey; may I ask what's needed to progress this proposal? 🙏 |
Member
Author
|
@dimpavloff Thanks for the ping! There's nothing blocking this other than finding the time to push it forward. :) Do you have a particular gRPC language in which you're waiting for this feature? |
Ah, I know the feeling :)
Yes. At my company we use Go and are keen to adopt gRPC proxyless but we hit istio/istio#53532 which is what led me here. |
ejona86
approved these changes
Jun 5, 2025
|
|
||
| ### JwtTokenFileCallCredentials | ||
|
|
||
| Note: This section is intended for gRPC implementations that need to |
Member
There was a problem hiding this comment.
Java implementation note: We can use JsonWebSignature.parse().getPayload().getExpirationTimeSeconds() to create an AccessToken with appropriate expiration. We could extend OAuth2Credentials and implement refreshAccessToken(). It takes care of stale vs expiration checking. Using JsonWebSignature is essentially re-implementing IdToken, which would probably work today, but technically this is not necessarily an IdToken so we should probably avoid the existing class.
ejona86
reviewed
Jun 5, 2025
dfawley
approved these changes
Jun 6, 2025
copybara-service Bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Jun 17, 2025
This is the first part of implementing gRFC A97 (grpc/proposal#492). Closes #39769 COPYBARA_INTEGRATE_REVIEW=#39769 from markdroth:jwt_token_call_creds fd890a3 PiperOrigin-RevId: 772533750
anniefrchz
pushed a commit
to anniefrchz/grpc
that referenced
this pull request
Jun 25, 2025
This is the first part of implementing gRFC A97 (grpc/proposal#492). Closes grpc#39769 COPYBARA_INTEGRATE_REVIEW=grpc#39769 from markdroth:jwt_token_call_creds fd890a3 PiperOrigin-RevId: 772533750
copybara-service Bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Jun 26, 2025
…le call creds (#39772) This is the second half of gRFC A97 (grpc/proposal#492). Closes #39772 COPYBARA_INTEGRATE_REVIEW=#39772 from markdroth:jwt_token_call_creds2 727f770 PiperOrigin-RevId: 776233709
This was referenced Aug 22, 2025
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Aug 23, 2025
This is the first part of implementing gRFC A97 (grpc/proposal#492). Closes grpc#39769 COPYBARA_INTEGRATE_REVIEW=grpc#39769 from markdroth:jwt_token_call_creds fd890a3 PiperOrigin-RevId: 772533750
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Aug 23, 2025
…le call creds (grpc#39772) This is the second half of gRFC A97 (grpc/proposal#492). Closes grpc#39772 COPYBARA_INTEGRATE_REVIEW=grpc#39772 from markdroth:jwt_token_call_creds2 727f770 PiperOrigin-RevId: 776233709
arjan-bal
pushed a commit
to grpc/grpc-go
that referenced
this pull request
Sep 16, 2025
…7) (#8431) Part one for grpc/proposal#492 (A97). This is done in a new `credentials/jwt` package to provide file-based PerRPCCallCredentials. It can be used beyond XDS. The package handles token reloading, caching, and validation as per A97 . There will be a separate PR which uses it in `xds/bootstrap`. Whilst implementing the above, I considered `credentials/oauth` and `credentials/xds` packages instead of creating a new one. The former package has `NewJWTAccessFromKey` and `jwtAccess` which seem very relevant at first. However, I think the `jwtAccess` behaviour seems more tailored towards Google services. Also, the refresh, caching, and error behaviour for A97 is quite different than what's already there and therefore a separate implementation would have still made sense. WRT `credentials/xds`, it could have been extended to both handle transport and call credentials. However, this is a bit at odds with A97 which says that the implementation should be non-XDS specific and, from reading between the lines, usable beyond XDS. I think the current approach makes review easier but because of the similarities with the other two packages, it is a bit confusing to navigate. Please let me know whether the structure should change. Relates to istio/istio#53532 RELEASE NOTES: - credentials: Add `credentials/jwt` package providing file-based JWT PerRPCCredentials (A97).
2 tasks
arjan-bal
pushed a commit
to grpc/grpc-go
that referenced
this pull request
Nov 3, 2025
) Part two for grpc/proposal#492 (A97), following #8431 . What this PR does is: - update `internal/xds/bootstrap` with support for loading multiple PerRPCCallCredentials specifed in a new `call_creds` field in the boostrap file as per A97 - adjust `xds/internal/xdsclient/clientimpl.go`to use the call credentials when constructing the client - update `xds/bootstrap` to register the `jwtcreds` call credentials and make them available if `GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS` is enabled Relates to istio/istio#53532 RELEASE NOTES: - xds: add support for loading a JWT from file and use it as Call Credentials (A97). To enable this feature, set the environment variable `GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS` to `true` (case insensitive).
arjan-bal
pushed a commit
to arjan-bal/grpc-go
that referenced
this pull request
Nov 3, 2025
…pc#8536) Part two for grpc/proposal#492 (A97), following grpc#8431 . What this PR does is: - update `internal/xds/bootstrap` with support for loading multiple PerRPCCallCredentials specifed in a new `call_creds` field in the boostrap file as per A97 - adjust `xds/internal/xdsclient/clientimpl.go`to use the call credentials when constructing the client - update `xds/bootstrap` to register the `jwtcreds` call credentials and make them available if `GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS` is enabled Relates to istio/istio#53532 RELEASE NOTES: - xds: add support for loading a JWT from file and use it as Call Credentials (A97). To enable this feature, set the environment variable `GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS` to `true` (case insensitive).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.