1. Proposed title of this feature request

Ability to use Client Credentials with OpenShift Authentication

2. What is the nature and description of the request?

OpenShift supports OpenID Connect / OAuth flows User (Browser) -> OCP Application Authentication. For Application to talk to OCP, OpenShift / K8s service accounts seem to be the preferred way to do it. App --> OCP using service account token.

However, customer needs to use Industry standard ways for app-app authentication which is using OAuth Client credentials flow. i.e. App --> OCP via ID provider issued tokens.

While configure IDP in OpenShift also supports Client Credentials, OpenShift does not. As a result forcing customer to use OpenShift Service accounts (or x.509 certificates which requires out of band management for certificate rotations/revocations).

The request is to use the ability of Client Credentials to provide the token from the IDP, in order to allow Application to be authenticated, instead of using the Service Account Tokens.
The OAuth 2.0 protocol already contains the feature for a while now.

3. Why does the customer need this? (List the business requirements here)

Ability to allow application to obtain the token from the IDP, instead of the OpenShift. Allowing that the application can authenticate without the Service Account tokens.

4. List any affected packages or components.

openshift-oauth, openshift-authentication

Additional info
https://www.rfc-editor.org/rfc/rfc6749#section-4.4