Assigning to API / SPI for now but we may want to create a new component to track token based authentication, especially JWT.

It may be desirable for us to be able to issue JWT tokens that can be used elsewhere.

At the moment our identity propagation makes use of credentials delegated to us during authentication but we have some more opportunities if we can obtain new credentials dynamically for this propagation.

An ideal use case for this could be a traditional web application already secured using traditional authentication such as username / password via a form, in that case the application will have a resulting SecurityIdentity with attributes, roles, and permissions assigned.

This feature request is to consider a component internal to the process to convert the SecurityIdentity to a JWT token that can now be used for any outbound calls as the identity to propagate the identity.

One possibility is some kind of transformation that can be applied on the SecurityDomain so the resulting SecurityIdentity has an associated JWT token credential as soon as it is created.

Another alternative is more integration within authentication client, the destination could be taken into account so different tokens / mappings are applied for different destinations.

I wont create the separate Jira issue yet but this could also open an option to dynamically obtain a token from a remote issuer - we may have been delegated a credential we can use to authentication against a remote identity provider and request a token that way.