search

mintel / dex-k8s-authenticator

A Kubernetes Dex Client Authenticator
MIT License
371 stars 146 forks source link

Allow Cross client credentials #140

Closed mohsinhijazee closed 3 years ago

mohsinhijazee commented 3 years ago

Currently, when following is added into scopes:

    scopes: 
      - openid
      - profile
      - email
      - offline_access
      - groups
      - audience:server:client_id:kubernetes

This gets ignored altogether and the genrated auth URL conly contains following as scopes:

&scope=openid+profile+email+offline_access+groups

Whereas the example-app on which this authenticator is based on, perfectly supports this behavior. Further documentation on dex:

Why?

As the k8s API server only allows one client application to be used as authenticator (via the --oidc-* set of flags), we don't want to expose the main authenticator application itself everywhere and rather create another client application with client_id kubectl for example and then allow it to obtain tokens on behalf of the main application. In case of a breach, only this application would have to be revoked/adjusted and everything else would keep working fine.

nabadger commented 3 years ago

Will look into this :+1:

We should support this, so not sure if it's a bug or not right now.

betermieux commented 3 years ago

Pull Request #129 (which supports custom scopes) is merged into master but is not yet released (with latest 1.2.0). So, releasing a new version should close this issue. I am waiting for it, too. ;-)

Edit: I just tried mintel/dex-k8s-authenticator:latest from docker hub (07/06/2020) which works like expected. An official version would be appreciated nevertheless.

nabadger commented 3 years ago

@betermieux I've released new versions today (1.4.0 being the latest).

Sorry for delay!