Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oidc authentication: email_verified claim is not required for JWT validation #61508

Merged
merged 1 commit into from Apr 4, 2018

Conversation

@rithujohn191
Copy link
Contributor

rithujohn191 commented Mar 21, 2018

What this PR does / why we need it:
Currently the "email_verified" claim is required by the API server to verify an OIDC token. Many OIDC providers do not support the "email_verified" claim. We want to be able to allow their OIDC tokens as valid.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #59496

Release note:

OIDC authentication now allows tokens without an "email_verified" claim when using the "email" claim. If an "email_verified" claim is present when using the "email" claim, it must be `true`.

/sig auth
/kind feature
/assign @ericchiang

CC: @sreetummidi

@ericchiang

This comment has been minimized.

Copy link
Member

ericchiang commented Mar 21, 2018

/ok-to-test

cc @kubernetes/sig-auth-pr-reviews any objections here? There was an comment a while back that this case should require an additional flag, but that seems like overkill.

@rithujohn191

This comment has been minimized.

Copy link
Contributor Author

rithujohn191 commented Apr 2, 2018

Any thoughts/ objections on this PR?

if !emailVerified {
return nil, false, fmt.Errorf("oidc: email not verified")
// If the email_verified claim is not present we do not have to verify it.
if err != nil && err != errClaimNotFound {

This comment has been minimized.

@liggitt

liggitt Apr 3, 2018

Member

it seems like it would be clearer to check for presence of the claim before calling unmarshalClaim, rather than comparing literal errors

if _, hasEmailVerifiedClaim := c["email_verified"]; hasEmailVerifiedClaim {
  ...
}

This comment has been minimized.

@rithujohn191

rithujohn191 Apr 3, 2018

Author Contributor

Done

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Apr 3, 2018

nit on checking for presence rather than comparing errors. no objections overall

@rithujohn191 rithujohn191 force-pushed the rithujohn191:email_verified branch from f700614 to 1f25319 Apr 3, 2018

@ericchiang

This comment has been minimized.

Copy link
Member

ericchiang commented Apr 3, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Apr 3, 2018

@ericchiang

This comment has been minimized.

Copy link
Member

ericchiang commented Apr 3, 2018

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Apr 3, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, rithujohn191

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot

This comment has been minimized.

Copy link
Contributor

k8s-github-robot commented Apr 4, 2018

Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 8201b3e into kubernetes:master Apr 4, 2018

14 checks passed

Submit Queue Queued to run github e2e tests a second time.
Details
cla/linuxfoundation rithujohn191 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details

@rithujohn191 rithujohn191 deleted the rithujohn191:email_verified branch Feb 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.