[Extensions] Issue access token on behalf of user stored in scheduled job identity index #2603
Description
For scheduled jobs, there needs to be a secure mechanism for Job Scheduler to issue new access tokens on behalf of the user associated with a job to provide to a job runner. In the current plugin architecture, plugins persist the user's roles roles at time of creation in the job details index associated with the plugin and then inject them into the ThreadContext when the job executes to evaluate privileges. For extensions, this model is being changed in favor of stored user info associated with a job in a single secure index.
Job Scheduler can use then identity system to request a new access token on behalf of a user associated with a scheduled job stored in the scheduled job identity index.