2

The Kubernetes documentation related to OpenID Connect mentions that as part of setting things up you need to supply some parameters to the API server:

--oidc-client-id: A client id that all tokens must be issued for.

There is no other explanation about how this would map to, say, something returned by the OpenID Connect-conformant Google identity provider.

I don't know what this parameter value will be used for. Will it match against something in the decoded JWT token?

It looks like the id_token returned by the Google identity provider might contain something, once decoded, in its aud field (aud is apparently short for "audience"). Is this what the --oidc-client-id should match? Am I way off?

Laird Nelson
  • 15,321
  • 19
  • 73
  • 127

1 Answers1

1

This can be explained from the kubernetes documentation on id tokens.

As you can see, identity provider is a separate system. For example this can be MS Azure AD or Google as you have shown.

When you register for a identity provider, you get important things in return. client id is one such important parameter. if you are aware of the openid connect flow, you need to provide this client id when you follow the flow. If the flow is complete, you will return an id token. An id token has one must have claim, aud which is the audience that token was issued for.

When you validate an id token you MUST verify you are in the audience list. More can be found from the spec.

Quoting from specification,

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience

Now, kubernetes uses bearer tokens. Here the tokens used are id tokens. To validate the token it should know specifically the audience. This enables the API server to validate the token is issued for the particular client who made the call. Thus authorising the call to to success.

Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • 1
    Thank you for your answer. I am aware that the identity provider is a separate system. And I am aware that this OpenID Connect-compliant system will return me an `id_token` conforming to the [specification](http://openid.net/specs/openid-connect-core-1_0.html#IDToken). But where in the [Kubernetes documentation](https://kubernetes.io/docs/admin/authentication/#openid-connect-tokens) does it tell me that the value of the `aud` field will be matched against the value of the `--oidc-client-id` parameter? – Laird Nelson Jul 12 '17 at 07:19
  • 1
    @LairdNelson Being two separate systems, Kubernetes needs to validate the id token it receives. There are some things that it will get from issuer url configuration set through "--oidc-issuer-url". For example, public key of token signing certificate (they are accessed through discovery document). But it does not know the registered client id of your application (the aud claim) unless you give it through a configuration. Well it's true it's not in the documentation, but for any service which consume id tokens as bearer tokens, it's the practice – Kavindu Dodanduwa Jul 12 '17 at 09:18
  • Also, check id token validation specification from openid connect, http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation . Validating . It says "The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience". – Kavindu Dodanduwa Jul 12 '17 at 09:30
  • 2
    Thank you for your comment, particularly your first one, where you complete the missing link for me: the `aud` field of the `id_token` value received from Google must match the value of the `--oidc-client-id` parameter supplied to the apiserver on startup. It's puzzling that this isn't spelled out more clearly. – Laird Nelson Jul 12 '17 at 18:20
  • 1
    @LairdNelson Well, that's because this verification comes from openid connect specification. I believe it would be less confusing for anyone (specially ones who are not that familiar with spec. ) if they have mention the usage of this configuration parameter in the docs. Anyway I hope my answer helped you – Kavindu Dodanduwa Jul 13 '17 at 02:08
  • 1
    Agreed entirely, and your answer did indeed help. Thank you. – Laird Nelson Jul 13 '17 at 07:55