Description

To ease integrations with third-party clients that do not support the full m2m token exchange flow (such as Prometheus server and OpenShift Console), StackRox should implicitly exchange external JWTs for StackRox tokens.

This suggested change identifies the token issuer before validation. If the token is not issued by StackRox, it transparently attempts to perform the m2m exchange, then processes the request with the exchanged token. This introduces a minor overhead due to extra JWT parsing, but parsing optimization can be considered in a follow-up.

Acceptance Criteria

• External JWT tokens (e.g., OpenShift service account, Google ID tokens) can be automatically exchanged for valid StackRox m2m tokens by the backend during request processing.
• Requests authenticated using exchanged tokens grant the user/role as configured in m2m mapping (e.g., sm-inspector SA mapped to Network Graph Viewer).
• Unit tests are in place to verify the logic of implicit token exchange.
• The behavior is documented and/or changelog is updated as needed.

Testing Instructions:

Examples of validating this:

• Access StackRox APIs using an OpenShift service account token; see role mapping in effect.
• Access StackRox APIs using a Google ID token; see role mapping as per m2m configuration.