search

int128 / kubelogin

kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Apache License 2.0
1.65k stars 191 forks source link

Add `SkipIssuerCheck` option to kubelogin #1055

Open hongkunyoo opened 6 months ago

hongkunyoo commented 6 months ago

Purpose of the feature (why)

I really liked this project. Thanks for your effort. I would like an option SkipIssuerCheck to skip to issuer check if possible. For example, --skip-issuer-check. The reason why for this option is, in my K8s environment, I want to expose OIDC provide endpoint only to in-cluster scope for certain users. Which means the OIDC provider endpoint should vary for some users. For example,

However, the jwt issuer should be https://oidc.mycluster.com for both case. Since the jwt issuer and OIDC provider endpoint does not match, currently an error occurs. I want to avoid this case.

Would you kindly consider to add --skip-issuer-check option for such case?

Your idea (how)

Add SkipIssuerCheck option in gooidc Verifier.

SkipIssuerCheck: true

https://github.com/int128/kubelogin/blob/42164cbc97b074e8c6bf526a7d6d9f81b21eb80b/pkg/oidc/client/client.go#L200

I have checked it works well when I add this option. I could just use the downstream and add it only for myself but I'm wondering if it's possible to add an option to the upstream.