I really liked this project. Thanks for your effort.
I would like an option SkipIssuerCheck to skip to issuer check if possible. For example, --skip-issuer-check.
The reason why for this option is, in my K8s environment, I want to expose OIDC provide endpoint only to in-cluster scope for certain users. Which means the OIDC provider endpoint should vary for some users.
For example,
A user group: https://oidc.mycluster.com (default)
B user group: http://SVC_NAME.NAMESPACE.svc.cluster.local (for some users)
However, the jwt issuer should be https://oidc.mycluster.com for both case. Since the jwt issuer and OIDC provider endpoint does not match, currently an error occurs. I want to avoid this case.
Would you kindly consider to add --skip-issuer-check option for such case?
I have checked it works well when I add this option. I could just use the downstream and add it only for myself but I'm wondering if it's possible to add an option to the upstream.
Purpose of the feature (why)
I really liked this project. Thanks for your effort. I would like an option
SkipIssuerCheck
to skip to issuer check if possible. For example,--skip-issuer-check
. The reason why for this option is, in my K8s environment, I want to expose OIDC provide endpoint only to in-cluster scope for certain users. Which means the OIDC provider endpoint should vary for some users. For example,https://oidc.mycluster.com
(default)http://SVC_NAME.NAMESPACE.svc.cluster.local
(for some users)However, the
jwt
issuer should behttps://oidc.mycluster.com
for both case. Since the jwt issuer and OIDC provider endpoint does not match, currently an error occurs. I want to avoid this case.Would you kindly consider to add
--skip-issuer-check
option for such case?Your idea (how)
Add
SkipIssuerCheck
option in gooidcVerifier
.https://github.com/int128/kubelogin/blob/42164cbc97b074e8c6bf526a7d6d9f81b21eb80b/pkg/oidc/client/client.go#L200
I have checked it works well when I add this option. I could just use the downstream and add it only for myself but I'm wondering if it's possible to add an option to the upstream.