dexter OIDC vs SSL Cert Login

[aduzsardi]

Correct me if i'm wrong but isn't this kind of the same as using SSL certificates for client auth ?
I mean , the user will get a valid id-token and a refresh token (with google oidc at least). He/she can use the refresh token to get a new id-token once it expired indefinitely , so there's no actual way to revoke access to a token beside removing the user from the (Cluster|Role)Binding same as with SSL certificates.

[dkerwin]

There is a big difference. With certificates there is no way to revoke a certificate while preserving the user account. Kubernetes doesn't use a CRL which would be the way to do that.

OIDC on the other hand uses access and refresh tokens and a refresh for an expired access token will fail when the account or the token is disabled on the identity provider. This leaves a small window while the access token is still valid and how long that is depends on the setting of the identity provider.

Hope this helps.

[aduzsardi]

oh , i think i get it now , you mean with G Suite accounts because i tested with regular gmail account and even though i did some changes to the oauth app (switched from external to internal) the regular gmail account could still use the the refresh token to renew the id-token which confused me a bit since you can't really disable a gmail account beside deleting it.

So i'm guessing you need to create the oauth app with internal setting enabled from start this will allow only users in your G Suite org to authenticate in the first place and then you can disable the account if you want to revoke access to the k8s user.