Kubernetes OIDC - IDToken

oidc-flow-study-notes.md

Kubernetes OIDC Flow - Sig-Auth

Got some answers from #sig-auth: https://kubernetes.slack.com/archives/C0EN96KUY/p1667201299188199

• OIDC generally, it's not good practice to contact the IdP on every request
• Token:

{
  "iss": "https://idp.example",
  "aud": "some-audience",
  "sub": "02d72843-a096-43b9-9d61-0c4640bbdb2f",
  "exp": 1667210553,
  "iat": 1667210253,
  "nbf": 1667210253,
  "auth_time": 1667210250,
  "nonce": "qVpWjlyjjcl864K0wbxY",
  "at_hash": "f6635997174ed32be12fd2a966ded31d82fbad8a77f035fec47f0cca988efd58",
}

• ldP issues and IDToken
• id_token:
• • is signed by the ldP
• • is JWT with well known fields (name, email, etc.)
• • is self contained and from k8s' perspective can't be revoked
• • aren't stored anywhere: each transaction has its own token that is part of the request
• • isn't meant to grant any level of access (i.e. you are supposed to use the access token for that)
• • best practice is to issue short lived ID tokens (24h TTL) and with your refresh_token set to some kind of timeout
• • you just need the public key to verify them (not a storage lookup)
• • public key is fetched from the configured issuer (i.e. https://accounts.google.com/.well-known/openid-configuration)
• • • the jwks_uri is set to https://www.googleapis.com/oauth2/v3/certs
• • if you need to revoke access you can tell your identity provider to forcefully terminate the session which will invalidate the refresh every minute
• • If signature verification fails but the issuer matches, the API server will attempt to refetch the public keys (see the PubKey Fetcher)
• • https://kep.k8s.io/3331
• dex for example sets the ID token lifetime to 1 day by default, which IMO is far too large for the kube use case
• most IDPs supports:
• • access token revocation so having longer lifetimes
• • configuring the token length per OAuth client
• k8s would need to know to check that revocation endpoint
• for custom validation for OIDC tokens, webhook mode already lets you implement that, including access checks per request, like Anthos does
• • JWT as a token encoding / verification format, and CEL to encode the policy

Kubernetes deep-dive:

• Uses:
• • https://github.com/coreos/go-oidc
• • https://github.com/square/go-jose/tree/v2
• OIDC: https://github.com/kubernetes/kubernetes/blob/ea0764452222146c47ec826977f49d7001b0ea8c/pkg/serviceaccount/openidmetadata.go#L58
• Route: https://github.com/kubernetes/kubernetes/blob/c5242edd929fc40f97d3f6ee3e8874ac1b297087/pkg/routes/openidmetadata.go#L60
• Verifier: https://github.com/coreos/go-oidc/blob/fb9e00951dc7a7d035e7664a5df116c3563afbd7/oidc/verify.go#L58-L74
• PubKey fetcher: https://github.com/coreos/go-oidc/blob/fb9e00951dc7a7d035e7664a5df116c3563afbd7/oidc/jwks.go#L154
• PubKey caching: https://github.com/coreos/go-oidc/blob/0a04a64b04528b82e123ef457b620241d7418b0c/oidc/jwks.go#L81
• Book: https://github.com/PacktPublishing/Kubernetes---An-Enterprise-Guide-2E/blob/main/chapter5/B17950_Chapter_05.pdf