[mitreid-connect] Kubernetes Authorization with MitreID OIDC Server

Mark Janssen callisto at praseodym.net
Mon Feb 26 14:14:32 EST 2018 

The ID token is a signed JWT, so it should be fine as long as Kubernetes
checks whether the token is signed correctly and with an expected algorithm
(e.g. it does not accept the "none" algorithm
<https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/>
).

We're also running Kubernetes with a MitreID OIDC server and it works
great. Since v1.3.2 it's easier to add an ID token group claim
<https://github.com/WISVCH/connect/blob/5fa64e4bd634bdf4622a32db6d7131c8430150a7/wisvch-connect-overlay/src/main/java/ch/wisv/connect/overlay/services/CHOIDCTokenService.java>
that can be used for Kubernetes RBAC. We're using a fork
<https://github.com/WISVCH/oidc-proxy> of keycloak-proxy
<https://github.com/gambol99/keycloak-proxy> in front of the Kubernetes
Dashboard so that users are able to access it without a kubectl proxy. For
users that need/want kubectl, we have a tiny webapp that can generate
kubectl config files <https://github.com/WISVCH/oidc-kubeconfig> including
an OIDC refresh token.

Cheers,
Mark

On 26 February 2018 at 18:14, Felipe Polo-Wood <felipe.polowood at duke.edu>
wrote:

> I am trying to wrap my head around what that means... is it encrypted in
> any way?  Does it transit outside K8s?
>
>
> Felipe Polo-Wood
> Sr. Manager Clinical Applications Technical Services
> Duke Health Technology Solutions
> 3100 Tower Blvd. Office 270
> Durham, NC 27707
> Office: +1.919.668.2268 <+1%20919-668-2268>
> Mobile: +1.919.741.4213 <+1%20919-741-4213>
> ------------------------------
> *From:* mitreid-connect-bounces at mit.edu <mitreid-connect-bounces at mit.edu>
> on behalf of Luiz Omori <luiz.omori at duke.edu>
> *Sent:* Monday, February 26, 2018 11:29:41 AM
> *To:* mitreid-connect at mit.edu
> *Subject:* [mitreid-connect] Kubernetes Authorization with MitreID OIDC
> Server
>
>
> Yes, it works. See instructions here: https://kubernetes.io/docs/
> admin/authentication/#openid-connect-tokens
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__kubernetes.io_docs_admin_authentication_-23openid-2Dconnect-2Dtokens&d=DwMGaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=A3Yhle7nZIqZWq2hnFMxKnnaih9e8isMynaYEUQaOec&m=846ABQIAO1ZXrQn4e8wK8AbEOeHQ6rF5OfB1raTTgHw&s=fKQIqQm8cL4BhJX8iGpB5d1UnlpJA0VhILB7dvYnuZk&e=>
>
>
>
> Just one caveat: Kubernetes is using the ID Token as the Bearer. Not sure
> if I’ve seen any applications doing that before. Is this OK?
>
>
>
> Regards,
>
> Luiz
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20180226/27270367/attachment.html

More information about the mitreid-connect mailing list