You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What operating system and processor architecture are you using?
Windows 10, AMD64
What did you do?
This is related to kubernetes/kubernetes#56063. When refreshing a Google OIDC token, the audience apparently gets lost if it isn't explicitly stated.
What did you expect to see?
When a token refreshes, I expect the aud to stay the same, or to be able to specify an audience via the audience POST parameter.
What did you see instead?
When using Google OIDC and a token refreshes, the aud resets, and no such API exists.
I'm mostly posting this to get a temperature reading on how people feel about introducing the ability to inject this or perhaps arbitrary parameters into the refresh post. It seems like there's little alternative :(
It looks like the most convenient place to inject such code would be here:
This seems related to #234, which proposes a related measure that I'd also like to have.
I apologize if this is already possible and I missed it, or worse, it's not actually an issue at all and I'm just missing something, but it sure seems like a problem to me.
The text was updated successfully, but these errors were encountered:
Well one issue that needs to be addressed either way is whether or not it should be done at all. The Google OIDC implementation is decidedly going against spec here with this, the audience should never change during a refresh.
What version of Go are you using (
go version
)?What operating system and processor architecture are you using?
Windows 10, AMD64
What did you do?
This is related to kubernetes/kubernetes#56063. When refreshing a Google OIDC token, the audience apparently gets lost if it isn't explicitly stated.
What did you expect to see?
When a token refreshes, I expect the
aud
to stay the same, or to be able to specify an audience via theaudience
POST parameter.What did you see instead?
When using Google OIDC and a token refreshes, the
aud
resets, and no such API exists.I'm mostly posting this to get a temperature reading on how people feel about introducing the ability to inject this or perhaps arbitrary parameters into the refresh post. It seems like there's little alternative :(
It looks like the most convenient place to inject such code would be here:
This seems related to #234, which proposes a related measure that I'd also like to have.
I apologize if this is already possible and I missed it, or worse, it's not actually an issue at all and I'm just missing something, but it sure seems like a problem to me.
The text was updated successfully, but these errors were encountered: