Re: [oauth] SASL mechanisms

On Tue, Dec 09, 2025 at 01:18:43PM -0800, Jacob Champion wrote:
> [...]

What do you think of

  https://datatracker.ietf.org/doc/id/draft-williams-http-bearer-extension.txt

?

Yes, it's HTTP-specific, but somee of that might be useful here.

Also, what do you think of a GSS-API mechanism that supports JWT for
client auth?  I've a design in mind where if you ask for no security
services in gss_init_sec_context()'s req_flags then you get a singular
context token and it's just the JWT, and otherwise you get TLS 1.3
handshake messages as GSS tokens w/ ALPN to identify this as a GSS mech
and the JWT as 0-rtt data or piggybacked (encrypteed either way) onto
the client final, w/ TLS exporter for keying Kerberos per-message
tokens.  This would allow PG to support JWT via GSS-API.  Look ma'! no
changes!

On the client/initiator side I'd have the client fetch a token as needed
from the local, configured STS, and do something like Kerberos referrals
(HTTP redirects) for "cross-realm" stuff if needed.

Nico
--