<div dir="ltr"><div><div><div>The ID token is a signed JWT, so it should be fine as long as Kubernetes checks whether the token is signed correctly and with an expected algorithm (e.g. <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/">it does not accept the "none" algorithm</a>).<br><br></div>We're also running Kubernetes with a MitreID OIDC server and it works great. Since v1.3.2 it's easier to <a href="https://github.com/WISVCH/connect/blob/5fa64e4bd634bdf4622a32db6d7131c8430150a7/wisvch-connect-overlay/src/main/java/ch/wisv/connect/overlay/services/CHOIDCTokenService.java">add an ID token group claim</a> that can be used for Kubernetes RBAC. We're using <a href="https://github.com/WISVCH/oidc-proxy">a fork</a> of <a href="https://github.com/gambol99/keycloak-proxy">keycloak-proxy</a> in front of the Kubernetes Dashboard so that users are able to access it without a kubectl proxy. For users that need/want kubectl, we have <a href=" https://github.com/WISVCH/oidc-kubeconfig">a tiny webapp that can generate kubectl config files</a> including an OIDC refresh token.<br><br></div>Cheers,<br></div>Mark<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 26 February 2018 at 18:14, Felipe Polo-Wood <span dir="ltr"><<a href="mailto:felipe.polowood@duke.edu" target="_blank">felipe.polowood@duke.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div id="gmail-m_6173218706944072955divtagdefaultwrapper" style="font-size:8pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0px;margin-bottom:0px">I am trying to wrap my head around what that means... is it encrypted in any way? Does it transit outside K8s?<br>
</p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<div id="gmail-m_6173218706944072955Signature">
<div id="gmail-m_6173218706944072955divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Inconsolata,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div name="divtagdefaultwrapper">
<div style="font-size:13px;font-family:Tahoma">
<div class="gmail-m_6173218706944072955BodyFragment"><font size="2">
<div class="gmail-m_6173218706944072955PlainText">Felipe Polo-Wood<br>
Sr. Manager Clinical Applications Technical Services</div>
<div class="gmail-m_6173218706944072955PlainText">Duke Health Technology Solutions</div>
<div class="gmail-m_6173218706944072955PlainText">3100 Tower Blvd. Office 270</div>
<div class="gmail-m_6173218706944072955PlainText">Durham, NC 27707</div>
<div class="gmail-m_6173218706944072955PlainText">Office: <a href="tel:+1%20919-668-2268" value="+19196682268" target="_blank">+1.919.668.2268</a><br>
Mobile: <a href="tel:+1%20919-741-4213" value="+19197414213" target="_blank">+1.919.741.4213</a><br>
</div>
</font></div>
</div>
</div>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_6173218706944072955divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> <a href="mailto:mitreid-connect-bounces@mit.edu" target="_blank">mitreid-connect-bounces@mit.<wbr>edu</a> <<a href="mailto:mitreid-connect-bounces@mit.edu" target="_blank">mitreid-connect-bounces@mit.<wbr>edu</a>> on behalf of Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>><br>
<b>Sent:</b> Monday, February 26, 2018 11:29:41 AM<br>
<b>To:</b> <a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a><br>
<b>Subject:</b> [mitreid-connect] Kubernetes Authorization with MitreID OIDC Server</font>
<div> </div>
</div><div><div class="gmail-h5">
<div style="background-color:white" lang="EN-US">
<div class="gmail-m_6173218706944072955x_WordSection1">
<p class="gmail-m_6173218706944072955x_MsoNormal"><span style="font-size:11pt">Yes, it works. See instructions here:
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__kubernetes.io_docs_admin_authentication_-23openid-2Dconnect-2Dtokens&d=DwMGaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=A3Yhle7nZIqZWq2hnFMxKnnaih9e8isMynaYEUQaOec&m=846ABQIAO1ZXrQn4e8wK8AbEOeHQ6rF5OfB1raTTgHw&s=fKQIqQm8cL4BhJX8iGpB5d1UnlpJA0VhILB7dvYnuZk&e=" target="_blank">
https://kubernetes.io/docs/<wbr>admin/authentication/#openid-<wbr>connect-tokens</a></span></p>
<p class="gmail-m_6173218706944072955x_MsoNormal"><span style="font-size:11pt"> </span></p>
<p class="gmail-m_6173218706944072955x_MsoNormal"><span style="font-size:11pt">Just one caveat: Kubernetes is using the ID Token as the Bearer. Not sure if I’ve seen any applications doing that before. Is this OK?</span></p>
<p class="gmail-m_6173218706944072955x_MsoNormal"><span style="font-size:11pt"> </span></p>
<p class="gmail-m_6173218706944072955x_MsoNormal"><span style="font-size:11pt">Regards,</span></p>
<p class="gmail-m_6173218706944072955x_MsoNormal"><span style="font-size:11pt">Luiz</span></p>
</div>
</div>
</div></div></div>
<br>______________________________<wbr>_________________<br>
mitreid-connect mailing list<br>
<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/mitreid-<wbr>connect</a><br>
<br></blockquote></div><br></div></div></div></div>