kubernetes exec-credential command for OIDC Authorization flow with PKCE#1840
Conversation
| @@ -0,0 +1,162 @@ | |||
| <!DOCTYPE html> | |||
There was a problem hiding this comment.
AI-generated as I'm no html/css expert
This is what it looks like
| @@ -0,0 +1,164 @@ | |||
| <!DOCTYPE html> | |||
There was a problem hiding this comment.
AI-generated as I'm not an htlm/css expert
Here's what it looks like
d-honeybadger
force-pushed
the
doks-sso-authorization-flow
branch
from
d5c453d to
b8b6e22
Compare
|
|
||
| // in case we ever want to change this, or let folks configure it... | ||
| func defaultConfigHome() string { | ||
| var defaultConfigHome = func() string { |
There was a problem hiding this comment.
So that it can be stubbed in tests.
| return filepath.Join(kubeconfigCachePath(), id+".json") | ||
| } | ||
|
|
||
| func cachedSSOExecCredentialPath(id string) string { |
There was a problem hiding this comment.
Separate files for SSO tokens
d-honeybadger
force-pushed
the
doks-sso-authorization-flow
branch
from
b8b6e22 to
84c9897
Compare
|
|
||
| server := &http.Server{ | ||
| Handler: t.ssoServer, | ||
| Addr: fmt.Sprintf(":%d", t.port), |
There was a problem hiding this comment.
":8080" listens on every interface, the browser only needs to reach localhost. Suggested to use fmt.Sprintf("127.0.0.1:%d", t.port)
There was a problem hiding this comment.
Good point, thanks!
| return "", time.Time{}, errors.New("no ID token found") | ||
| } | ||
|
|
||
| return idToken, token.Expiry, nil |
There was a problem hiding this comment.
Can we verify the ID token locally before returning it. We are pulling id_token out of the token response and forward it to kubectl as-is — no signature, iss, aud, or exp check
There was a problem hiding this comment.
This command doesn't authorize the user to do anything though, it just returns a token that will be passed to kube-apiserver which will perform all the necessary verifications. I added a simple verification, but I think we can be pretty minimal here and not duplicate kube-apiserver's job - WDYT?
Just a small clarification — should the command here be |
d-honeybadger
force-pushed
the
doks-sso-authorization-flow
branch
from
559a4b7 to
6c6ed92
Compare
Correct, I forgot the |
3 participants
Adds a set of flags to
doctl cluster kubernetes kubeconfig exec-credentialcommand to be able to handle OIDC authorization.Currently,
doctl kubernetes kubeconfig exec-credentialis used to fetch a DO PAT from DOKS API, and this PAT is used by kubectl to authenticate inside the k8s cluster.The additional flags enable
doctl kubernetes kubeconfig exec-credentialto instead receive a token (ID token) from an OIDC idendity provider such as Okta, Auth0.The authorization flow implemented here is similar to how OSS kubectl plugins do it (e.g. https://github.com/int128/kubelogin) but with our own implementation we get seamless UX (users don't have to install and configure third-party plugins) and flexibility in adjusting & fixing any issies.