Got some answers from #sig-auth: https://kubernetes.slack.com/archives/C0EN96KUY/p1667201299188199
- OIDC generally, it's not good practice to contact the IdP on every request
- Token:
{
"iss": "https://idp.example",
"aud": "some-audience",
"sub": "02d72843-a096-43b9-9d61-0c4640bbdb2f",
"exp": 1667210553,
"iat": 1667210253,
"nbf": 1667210253,
"auth_time": 1667210250,
"nonce": "qVpWjlyjjcl864K0wbxY",
"at_hash": "f6635997174ed32be12fd2a966ded31d82fbad8a77f035fec47f0cca988efd58",
}
- ldP issues and IDToken
id_token:-
- is signed by the ldP
-
- is JWT with well known fields (name, email, etc.)
-
- is self contained and from k8s' perspective can't be revoked
-
- aren't stored anywhere: each transaction has its own token that is part of the request
-
- isn't meant to grant any level of access (i.e. you are supposed to use the access token for that)
-
- best practice is to issue short lived ID tokens (24h TTL) and with your refresh_token set to some kind of timeout
-
- you just need the public key to verify them (not a storage lookup)
-
- public key is fetched from the configured issuer (i.e. https://accounts.google.com/.well-known/openid-configuration)
-
-
- the jwks_uri is set to https://www.googleapis.com/oauth2/v3/certs
-
-
- if you need to revoke access you can tell your identity provider to forcefully terminate the session which will invalidate the refresh every minute
-
- If signature verification fails but the issuer matches, the API server will attempt to refetch the public keys (see the PubKey Fetcher)
- dex for example sets the ID token lifetime to 1 day by default, which IMO is far too large for the kube use case
- most IDPs supports:
-
- access token revocation so having longer lifetimes
-
- configuring the token length per OAuth client
- k8s would need to know to check that revocation endpoint
- for custom validation for OIDC tokens, webhook mode already lets you implement that, including access checks per request, like Anthos does
-
- JWT as a token encoding / verification format, and CEL to encode the policy
Kubernetes deep-dive:
- Uses:
- OIDC: https://github.com/kubernetes/kubernetes/blob/ea0764452222146c47ec826977f49d7001b0ea8c/pkg/serviceaccount/openidmetadata.go#L58
- Route: https://github.com/kubernetes/kubernetes/blob/c5242edd929fc40f97d3f6ee3e8874ac1b297087/pkg/routes/openidmetadata.go#L60
- Verifier: https://github.com/coreos/go-oidc/blob/fb9e00951dc7a7d035e7664a5df116c3563afbd7/oidc/verify.go#L58-L74
- PubKey fetcher: https://github.com/coreos/go-oidc/blob/fb9e00951dc7a7d035e7664a5df116c3563afbd7/oidc/jwks.go#L154
- PubKey caching: https://github.com/coreos/go-oidc/blob/0a04a64b04528b82e123ef457b620241d7418b0c/oidc/jwks.go#L81
- Book: https://github.com/PacktPublishing/Kubernetes---An-Enterprise-Guide-2E/blob/main/chapter5/B17950_Chapter_05.pdf