Closed mohsinhijazee closed 3 years ago
Will look into this :+1:
We should support this, so not sure if it's a bug or not right now.
Pull Request #129 (which supports custom scopes) is merged into master but is not yet released (with latest 1.2.0). So, releasing a new version should close this issue. I am waiting for it, too. ;-)
Edit: I just tried mintel/dex-k8s-authenticator:latest from docker hub (07/06/2020) which works like expected. An official version would be appreciated nevertheless.
@betermieux I've released new versions today (1.4.0
being the latest).
Sorry for delay!
Currently, when following is added into scopes:
This gets ignored altogether and the genrated auth URL conly contains following as scopes:
Whereas the
example-app
on which this authenticator is based on, perfectly supports this behavior. Further documentation on dex:Why?
As the k8s API server only allows one client application to be used as authenticator (via the
--oidc-*
set of flags), we don't want to expose the main authenticator application itself everywhere and rather create another client application withclient_id kubectl
for example and then allow it to obtain tokens on behalf of the main application. In case of a breach, only this application would have to be revoked/adjusted and everything else would keep working fine.