For the scenario:
Agent 1 --> Agent 2 --> Resource
Agent 1 passes an Auth Token... and for Agent 2 to call resource, it needs to pass the following to Resource's Auth Server:
- resource token
- Agent 2's "upstream" token, aka the token Agent 1 passes to Agent 2.
But it's not clear how the Auth Server involved in the token exchange is supposed to verify the signature.
The upstream auth token MUST be presented via the Signature-Key header using sig=jwt;jwt="".
Which signature? The upstream jwt is signed by Agent 1 (ie, jwt.cnf is Agent 1's public key). The JWT itself is signed by the Auth Server of Agent 2.
For the scenario:
Agent 1 --> Agent 2 --> Resource
Agent 1 passes an Auth Token... and for Agent 2 to call resource, it needs to pass the following to Resource's Auth Server:
But it's not clear how the Auth Server involved in the token exchange is supposed to verify the signature.
Which signature? The upstream jwt is signed by Agent 1 (ie, jwt.cnf is Agent 1's public key). The JWT itself is signed by the Auth Server of Agent 2.