-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should have the option to use access_token
instead of id_token
#1083
Comments
Implements int128#1083. See description there for context.
Implements int128#1083. See description there for context.
Implements int128#1083. See description there for context. In its current form, this PR is barebones functionality. I have not yet added any tests to confirm this behavior. But I have validated it locally. Without adding `--oidc-use-access-token`, and `id_token` is successfully returned. Adding `--oidc-use-access-token` results in an `access_token` being successfully returned.
Implements int128#1083. See description there for context. In its current form, this PR is bare bones functionality. I have not yet added any tests to confirm this behavior. Additionally, we could consider updtating some of the naming. It is confusing to return a `TokenSet` where `IDToken` actually has an `accessToken`. I'm open to feedback on how best to improve this. However, this PR is functional in its current form. I have validated it locally. Without adding `--oidc-use-access-token`, and `id_token` is successfully returned. Adding `--oidc-use-access-token` results in an `access_token` being successfully returned.
Implements int128#1083. See description there for context. In its current form, this PR is bare bones functionality. I have not yet added any tests to confirm this behavior. Additionally, we could consider updtating some of the naming. It is confusing to return a `TokenSet` where `IDToken` actually has an `accessToken`. I'm open to feedback on how best to improve this. However, this PR is functional. I have validated it locally. Without adding `--oidc-use-access-token`, and `id_token` is successfully returned. Adding `--oidc-use-access-token` results in an `access_token` being successfully returned.
access_token
instead of id_token
access_token
instead of id_token
Another problem with the ID token is that, by definition the In my opinion this is an incorrect use of OAuth2/OIDC. Actually kubectl is the Client, which requests a token on behalf of the User to access the cluster. The cluster, in OAuth2/OIDC terms, is the Resource Server. The id_token is only meant for the Client. The access_token is meant for the Resource Server. If using OIDC correctly, a cluster will reject the id_token because it doesn't state the cluster's client ID as the audience. Or am I wrong? |
Purpose of the feature (why)
It should be possible to configure this tool to use an
access_token
instead of anid_token
. Many identity providers expose extra claims inaccess_token
s that are not available inid_token
s. One concrete example is thescp
claim in Azure AD that can be used to identify which scopes were requested. In my case, I'm using additional scopes to force the ID provider to trigger MFA, and I'd like to use--oidc-required-claim
server-side to verify that the tokens issued have the necessary extra scope. Similiarly, AzureAD also only exposes theamr
claim on the access token which more directly indicates if the user used MFA, however the values of that are an array, not a string, so I cannot simply use--oidc-required-claim
with that.The kubernetes docs indicate that we should be using the
id_token
, not theaccess_token
, but there is more nuance to that. As an example, see this thread: Why use id tokens instead of access tokens for authorization. I can also share anecdotal data that there are other use cases that have come up in my work where we've had to resort to using theaccess_token
instead of theid_token
in an OIDC flow in order to access the necessary claims. Lastly, the Azure basedkubelogin
tool also uses theaccess_token
, not theid_token
. See logic here.I believe the user of this tool should be able to choose to use
access_token
s instead, assuming they understand these nuances, even though it is not the suggested path according to the official kubernetes docs.Your idea (how)
I suggest adding a new CLI flag to the
get-token
command:--oidc-use-access-token
. This will then return theaccess_token
instead of theid_token
in this method:kubelogin/pkg/oidc/client/client.go
Line 195 in fdcdcc3
pkg/oidc/client/client.go
). See #1084 for the PR.The default behavior will be unchanged (using
id_token
), this new behavior must be opted into.The text was updated successfully, but these errors were encountered: