-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenID Connect: Identify user by more JWT claims than just a single one #71715
Comments
@kubernetes/sig-auth-feature-requests |
@heikoettelbruecksap: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@kubernetes/sig-auth-feature-requests |
@heikoettelbruecksap: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@kubernetes/sig-auth-feature-requests |
@heikoettelbruecksap: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
in this case, using "{origin}|{user_name}" sounds counter to the intent of the identity provider. presumably the sub uniquely identifies the user independently of the authentication origin to allow authentication via other origins to map to the same user. By taking "{origin}|{user_name}" as the identity, it means the same user authenticating via a different origin would lose all kubernetes permissions granted to their first login method expecting a single claim from the provider the represent the identity seems safest. if you wanted to allow combining claims like this, you could do so with an authentication webhook that added that on top of oidc validation. /close |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@heikoettelbruecksap with #121078 merged, this should be possible now as an alpha feature in v1.29. |
Summary:
In our use case, ID tokens of our OpenID connect provider (CF UAA) don't have a single claim that
However, currently the API server only supports choosing a single claim (=> usernameClaim) which is treated as (expected to be unique) user name within the cluster.
Basically I see two options to resolve this situation:
=> Do you have similar use cases, so the generic approach would help there, too?
Details:
We use CF UAA as OpenID connect provider for Kubernetes clusters, which supports connecting multiple external identity providers (per single identity zone / tenant). Respective ID tokens issued by UAA contain certain information that could be used to identify users from the cluster (e.g. for role bindings within the cluster):
The text was updated successfully, but these errors were encountered: