OIDC Workload Identity Support for Zero-Trust / Sovereign Cloud / Secure AI Factory Deployments

[stevefulme1]

Summary

Ansible Automation Platform is expanding its OIDC Identity Provider capability to enable zero-trust workload identity across the automation ecosystem. AAP-issued short-lived JWT tokens allow running automation jobs to authenticate to external platforms without static credentials — eliminating credential sprawl and meeting sovereign cloud and secure AI factory compliance requirements.

We are evaluating whether check_point.mgmt can support OIDC workload identity authentication to Check Point Security Management, and would appreciate your input on feasibility.

Context

• Current auth model in this collection: REST API with session-based authentication
• Proposed flow: AAP issues a JWT → job presents it to Check Point Security Management → platform validates against AAP's OIDC discovery endpoint → platform grants access
• Use cases: Zero-trust automation, sovereign cloud deployments, secure AI factory infrastructure, regulated environments requiring no static credentials

Questions for Maintainers

1. Does Check Point Security Management support OIDC/OAuth2 token validation from external identity providers today?
2. Could this collection accept a bearer token or JWT as an alternative authentication method?
3. Are there any API endpoints that already support token-based auth that could be leveraged?
4. What level of effort would be required to add OIDC token auth as an option alongside existing auth methods?
5. Are there any architectural constraints in the collection's auth layer that would make this difficult?

References

• AAP OIDC Provider follows the same pattern as GitHub Actions OIDC and GitLab CI ID tokens

We're happy to collaborate on this and can provide technical details about the AAP JWT claims schema and token exchange patterns.