[mitreid-connect] Kubernetes Authorization with MitreID OIDC Server

Mon Feb 26 14:36:37 EST 2018

Thanks Mark. I’ve looked at their Go source code and the checks look OK. Will see. One downside of this approach is that most toolkits, libraries, etc for OAuth2/OIDC retrieve from the Identity Server and inject the access token when calling any protected client APIs, not the id token. Nothing major, just maybe annoying in some cases.

I will take a look at the proxy. Good stuff. We are not running our K8s with MitreID yet, just exploring. Few little annoying issues using OIDC with K8s, e.g. Dashboard, as you found out. Not sure if SAML or LDAP would be better.

Regards,
Luiz

From: <mark at praseodym.net> on behalf of Mark Janssen <callisto at praseodym.net>
Date: Monday, February 26, 2018 at 2:15 PM
To: "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
Cc: Luiz Omori <luiz.omori at duke.edu>, Felipe Polo-Wood <felipe.polowood at duke.edu>
Subject: Re: [mitreid-connect] Kubernetes Authorization with MitreID OIDC Server

The ID token is a signed JWT, so it should be fine as long as Kubernetes checks whether the token is signed correctly and with an expected algorithm (e.g. it does not accept the "none" algorithm<https://urldefense.proofpoint.com/v2/url?u=https-3A__auth0.com_blog_critical-2Dvulnerabilities-2Din-2Djson-2Dweb-2Dtoken-2Dlibraries_&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=s_DjMoDvgNBeLry96J335ybbKcLj_6nXAOWrYJO4Mic&s=UPdhgqL3zAOejgMrQ_AQBYQdwxEOxZK8OZyQ2yqfiTk&e=>).
We're also running Kubernetes with a MitreID OIDC server and it works great. Since v1.3.2 it's easier to add an ID token group claim<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_WISVCH_connect_blob_5fa64e4bd634bdf4622a32db6d7131c8430150a7_wisvch-2Dconnect-2Doverlay_src_main_java_ch_wisv_connect_overlay_services_CHOIDCTokenService.java&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=s_DjMoDvgNBeLry96J335ybbKcLj_6nXAOWrYJO4Mic&s=p3CyV2qGaM6aS6Go0s0xKoMxuASbXRjfI72rP8Rtq2g&e=> that can be used for Kubernetes RBAC. We're using a fork<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_WISVCH_oidc-2Dproxy&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=s_DjMoDvgNBeLry96J335ybbKcLj_6nXAOWrYJO4Mic&s=0gdcV8hkAyR0B66djpFXoW3VJmbsUXnBGHkFObzveD4&e=> of keycloak-proxy<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_gambol99_keycloak-2Dproxy&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=s_DjMoDvgNBeLry96J335ybbKcLj_6nXAOWrYJO4Mic&s=pe8uxEeNS4vZko1XKKeB3RFrWlXBeQt0O27W4J7HXcY&e=> in front of the Kubernetes Dashboard so that users are able to access it without a kubectl proxy. For users that need/want kubectl, we have a tiny webapp that can generate kubectl config files<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_WISVCH_oidc-2Dkubeconfig&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=s_DjMoDvgNBeLry96J335ybbKcLj_6nXAOWrYJO4Mic&s=eRaekuIE4Zj2MYSFbNeSeFoKc6kmpjWW40dkM7_EQ3U&e=> including an OIDC refresh token.
Cheers,
Mark

On 26 February 2018 at 18:14, Felipe Polo-Wood <felipe.polowood at duke.edu<mailto:felipe.polowood at duke.edu>> wrote:

I am trying to wrap my head around what that means... is it encrypted in any way?  Does it transit outside K8s?

Felipe Polo-Wood
Sr. Manager Clinical Applications Technical Services
Duke Health Technology Solutions
3100 Tower Blvd. Office 270
Durham, NC 27707
Office: +1.919.668.2268<tel:+1%20919-668-2268>
Mobile: +1.919.741.4213<tel:+1%20919-741-4213>
________________________________
From: mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu> <mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu>> on behalf of Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>
Sent: Monday, February 26, 2018 11:29:41 AM
To: mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: [mitreid-connect] Kubernetes Authorization with MitreID OIDC Server

Yes, it works. See instructions here: https://kubernetes.io/docs/admin/authentication/#openid-connect-tokens<https://urldefense.proofpoint.com/v2/url?u=https-3A__kubernetes.io_docs_admin_authentication_-23openid-2Dconnect-2Dtokens&d=DwMGaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=A3Yhle7nZIqZWq2hnFMxKnnaih9e8isMynaYEUQaOec&m=846ABQIAO1ZXrQn4e8wK8AbEOeHQ6rF5OfB1raTTgHw&s=fKQIqQm8cL4BhJX8iGpB5d1UnlpJA0VhILB7dvYnuZk&e=>

Just one caveat: Kubernetes is using the ID Token as the Bearer. Not sure if I’ve seen any applications doing that before. Is this OK?

Regards,

Luiz

_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_mitreid-2Dconnect&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=s_DjMoDvgNBeLry96J335ybbKcLj_6nXAOWrYJO4Mic&s=Z0zhYVnOc5yp8SbXtU8Bs3VhWrJYY76v9C-uqLAp-WQ&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20180226/5a7c035b/attachment-0001.html