Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc authentication: email_verified claim is not required for JWT validation #61508

Merged
merged 1 commit into from
Apr 4, 2018
Merged

oidc authentication: email_verified claim is not required for JWT validation #61508

merged 1 commit into from
Apr 4, 2018

Conversation

rithujohn191
Copy link
Contributor

@rithujohn191 rithujohn191 commented Mar 21, 2018
edited by liggitt
Loading

What this PR does / why we need it:
Currently the "email_verified" claim is required by the API server to verify an OIDC token. Many OIDC providers do not support the "email_verified" claim. We want to be able to allow their OIDC tokens as valid.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #59496

Release note:

OIDC authentication now allows tokens without an "email_verified" claim when using the "email" claim. If an "email_verified" claim is present when using the "email" claim, it must be `true`.

/sig auth
/kind feature
/assign @ericchiang

CC: @sreetummidi

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 21, 2018
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 21, 2018
@ericchiang
Copy link
Contributor

ericchiang commented Mar 21, 2018
edited
Loading

/ok-to-test

cc @kubernetes/sig-auth-pr-reviews any objections here? There was an comment a while back that this case should require an additional flag, but that seems like overkill.

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 21, 2018
@rithujohn191
Copy link
Contributor Author

Any thoughts/ objections on this PR?

liggitt
liggitt reviewed Apr 3, 2018
View reviewed changes
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go Outdated
if !emailVerified {
return nil, false, fmt.Errorf("oidc: email not verified")
// If the email_verified claim is not present we do not have to verify it.
if err != nil && err != errClaimNotFound {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems like it would be clearer to check for presence of the claim before calling unmarshalClaim, rather than comparing literal errors

if _, hasEmailVerifiedClaim := c["email_verified"]; hasEmailVerifiedClaim {
  ...
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@liggitt
Copy link
Member

liggitt commented Apr 3, 2018

nit on checking for presence rather than comparing errors. no objections overall

@ericchiang
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 3, 2018
@ericchiang
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, rithujohn191

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 3, 2018
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 61806, 61508, 62075, 62079, 62052). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 8201b3e into kubernetes:master Apr 4, 2018
@rithujohn191 rithujohn191 mentioned this pull request Apr 6, 2018
Closed
@rithujohn191 rithujohn191 deleted the email_verified branch February 15, 2019 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

@ericchiang ericchiang Awaiting requested review from ericchiang

Assignees

@ericchiang ericchiang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

email_verified should not be part of required claims for OIDC JWT Validation
5 participants
@rithujohn191 @ericchiang @liggitt @k8s-ci-robot @k8s-github-robot