client secret

[kfox1111]

I'm trying to understand how dex-k8s-authenticator can be properly setup to work with the cli. My understanding is cli clients should be marked public for security reasons. This means they don't have a client secret. dex-k8s-authenticator is a web app, and should be a non public client with a redirect url defined. I would think dex-k8s-authenticator would give back a token for the public client and thus not have a secret. but in the documentation it is shown passing a client secret. Isn't this a problem?

[nickmintel]

@kfox1111 I'm reading up on this some more as I'm not all that familiar with the OIDC spec.

I thought that client-secret was required in order to support the refreshing of the token once it expires:

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#option-1-oidc-authenticator.

Also, my understanding is that the client-secret here is not considered secret in this scenario (since it's shared).

I'm looking through this issue which seems related: https://github.com/kubernetes/kubernetes/issues/37822

[kfox1111]

Yeah, that is a good issue to review. particularly: liggitt's comment from Dec 1, 2016

My understanding is with dex, you should setup 2 different clients. one for the webapp, and one for the cli. The cli one should be public and only have a localhost redirect url. the webapp client should be able to request tokens issued for the cli instead of requesting tokens for itself. It should not hand out its own secret.

[yann-soubeyrand]

@kfox1111 I totally agree with your understanding.