Skip to content

Instantly share code, notes, and snippets.

@Dentrax
Last active November 29, 2022 11:50
Show Gist options
  • Save Dentrax/b18f75320fc730cd83978f1ad74eb64c to your computer and use it in GitHub Desktop.
Save Dentrax/b18f75320fc730cd83978f1ad74eb64c to your computer and use it in GitHub Desktop.
Kubernetes OIDC - IDToken

Kubernetes OIDC Flow - Sig-Auth

Got some answers from #sig-auth: https://kubernetes.slack.com/archives/C0EN96KUY/p1667201299188199

  • OIDC generally, it's not good practice to contact the IdP on every request
  • Token:
{
  "iss": "https://idp.example",
  "aud": "some-audience",
  "sub": "02d72843-a096-43b9-9d61-0c4640bbdb2f",
  "exp": 1667210553,
  "iat": 1667210253,
  "nbf": 1667210253,
  "auth_time": 1667210250,
  "nonce": "qVpWjlyjjcl864K0wbxY",
  "at_hash": "f6635997174ed32be12fd2a966ded31d82fbad8a77f035fec47f0cca988efd58",
}
  • ldP issues and IDToken
  • id_token:
    • is signed by the ldP
    • is JWT with well known fields (name, email, etc.)
    • is self contained and from k8s' perspective can't be revoked
    • aren't stored anywhere: each transaction has its own token that is part of the request
    • isn't meant to grant any level of access (i.e. you are supposed to use the access token for that)
    • best practice is to issue short lived ID tokens (24h TTL) and with your refresh_token set to some kind of timeout
    • you just need the public key to verify them (not a storage lookup)
    • if you need to revoke access you can tell your identity provider to forcefully terminate the session which will invalidate the refresh every minute
    • If signature verification fails but the issuer matches, the API server will attempt to refetch the public keys (see the PubKey Fetcher)
  • dex for example sets the ID token lifetime to 1 day by default, which IMO is far too large for the kube use case
  • most IDPs supports:
    • access token revocation so having longer lifetimes
    • configuring the token length per OAuth client
  • k8s would need to know to check that revocation endpoint
  • for custom validation for OIDC tokens, webhook mode already lets you implement that, including access checks per request, like Anthos does
    • JWT as a token encoding / verification format, and CEL to encode the policy

Kubernetes deep-dive:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment