oidc authentication: switch to v2 of coreos/go-oidc

[ericchiang]

Switch to v2 of coreos/go-oidc, which uses square/go-jose to verify tokens and supports more signing algorithms.

Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files.

This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex.

Closes #57806

kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag.
kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.

cc @rithujohn191 @liggitt
cc @kubernetes/sig-auth-pr-reviews

[thockin]

Godep parts look OK. ping me when LGTM'ed and I can approve.

[rithujohn191]

the lint check and staging-godeps check seems to have failed

[rithujohn191]

A comment about why you are trying to decode it as string again as opposed to an array of strings would be helpful

[ericchiang]

Added a link to #33290

[mikedanese]

alternatively create a:

type stringOrArray []string

with a UnmarshalJSON func that does the right thing.

[ericchiang]

https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/58544/pull-kubernetes-unit/76002/

Failure on

k8s.io/kubernetes/vendor/k8s.io/apiextensions-apiserver/test/integration TestPatch 0.82s

/test pull-kubernetes-unit

[liggitt]

can we move this under testdata? makes it clearer it is only for test

[liggitt]

don't want to enable none? :)

[ericchiang]

I swear I remember someone accidentally using tokens with HS256.

[liggitt]

this is the client used in the background to fetch discovery docs and public keys? what was the timeout before?

edit: found it. there was no timeout previously. 15 seconds sounds a little aggressive, especially for a background process.

[ericchiang]

Bumped to 30 seconds

[ericchiang]

/test pull-kubernetes-e2e-kops-aws

[ericchiang]

/test pull-kubernetes-e2e-kops-aws

edit: flaking on #58578

[ericchiang]

/test pull-kubernetes-e2e-kops-aws

[ericchiang]

/test pull-kubernetes-e2e-kops-aws

[ericchiang]

/test pull-kubernetes-e2e-kops-aws

[ericchiang]

@kubernetes/sig-auth-pr-reviews tests are green

[liggitt]

+	// Check issuer.
+	if t.Issuer != v.issuer {
+		// Google sometimes returns "accounts.google.com" as the issuer claim instead of
+		// the required "https://accounts.google.com". Detect this case and allow it only
+		// for Google.
+		//
+		// We will not add hooks to let other providers go off spec like this.
+		if !(v.issuer == issuerGoogleAccounts && t.Issuer == issuerGoogleAccountsNoScheme) {
+			return nil, fmt.Errorf("oidc: id token issued by a different provider, expected %q got %q", v.issuer, t.Issuer)
+		}
+	}

really?

[liggitt]

does this echo the value in errors? we weren't returning claim values in error messages before, just type info

[ericchiang]

It's doesn't appear to return the value: https://play.golang.org/p/Ed2vi-1gDEK

I can add a test to make sure that behavior doesn't change in future releases of Go.

[ericchiang]

Test added.

[liggitt]

can be a follow-up, but might be good to consider doing something similar to #58791 to avoid noise in logs when this is combined with other token auth methods

[liggitt]

a couple questions, LGTM overall. would like a second review on the authorize path. @tallclair can you review or pick a delegate?

[thockin]

I have no context on this - please assign to me if you need some approval.

[liggitt]

/lgtm

would like a second from another @kubernetes/sig-auth-pr-reviews reviewer, then can get top-level approval for godep change

[mikedanese]

/lgtm

[mikedanese]

typo: whitelist

[mikedanese]

/lgtm

[ericchiang]

/assign @thockin

For final approval

[smarterclayton]

/approve

for godep

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, liggitt, mikedanese, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• Godeps/OWNERS [smarterclayton]
• cmd/kube-apiserver/OWNERS [liggitt,mikedanese,smarterclayton]
• hack/OWNERS [liggitt,smarterclayton]
• pkg/kubeapiserver/OWNERS [liggitt,smarterclayton]
• staging/OWNERS [smarterclayton]
• vendor/OWNERS [smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.