Comments (2)
Hi @dmeijboom, thanks for creating an issue.
I think what you are seeing is by design, although I can understand why you were hoping for a different behavior. I can try to explain and I can also propose some potential solutions.
When you use a JWTAuthenticator what you are saying is conceptually "when anyone shows up at this cluster's front door holding a JWT from the expected issuer with the expected audience claim, then allow them to authenticate as the username from the configured username claim of the JWT and group memberships from the configured groups claim of the JWT". The cluster (the Concierge, more specifically) is only presented with the ID token. It does not receive the access token nor any other information, so it has no other information to work from. That JWT must not be expired. The JWTAuthenticator code is actually borrowed from Kubernetes, and is performing the exact same checks as Kubernetes own OIDC authenticator. Also note that OIDC does not require that access tokens be JWTs, and in fact they are often opaque tokens with no way to know their lifetime by only looking at the token itself, so in general an access token would not be enough information to imply a longer lifetime all by itself anyway, which is probably one of the reasons why the Kubernetes code does not use access tokens in addition to the ID token for auth.
However, there are possible solutions.
- If your OIDC provider issued refresh tokens, then the Pinniped CLI would notice that the ID token is expired and it would use the refresh token to attempt to get a new ID token that it could send to the cluster. This would happen without any need for user interaction, so it would feel seamless.
- If you use the Pinniped Supervisor, then it will issue its own ID, access, and refresh tokens after the user has authenticated with your external OIDC provider. The Pinniped CLI would perform refreshes against the Supervisor using the Supervisor-issued refresh token, and during those refreshes the Supervisor would use either the external provider's refresh token (preferred) or the external provider's access token (if there was no refresh token handed out by the external provider) to make various calls to your external provider to determine if the user's session should be allowed to continue.
Either of those approaches should allow the user's session to continue longer without any user interaction.
Does that help?
from pinniped.
Thanks for the detailed reply. I wasn't aware that the JWTAuthenticator only looks at the ID token. That makes sense. Our OIDC provider should simply reply with refresh tokens, I guess that's the easiest way to move forward.
Thanks again! I'll close this issue as its exactly how pinniped should work.
from pinniped.
Related Issues (20)
- Document how to debug LDAPIdentity provider spec using `ldapsearch` CLI and pod logs
- Add a way to configure the cipher suite used for TLS HOT 4
- Add Carvel package proposal (please update with more detail) HOT 4
- The local-user-authenticator-tls-serving-certificate is not actually a TLS serving cert, it is a CA HOT 3
- Pinniped CLI version command should match `kubectl version` HOT 2
- API Discovery (`kubectl explain`) should work for OpenAPIv3 and aggregate APIs
- Aggregate APIs should not have name `Generic API Server` HOT 1
- show interstitial web page to allow user to choose IDP when multiple IDPs are configured and authorize endpoint query param to choose IDP is not used
- Support/ignore injected sidecar containers in the kube cert agent pod
- Add to Pinniped.dev: FederationDomain transformation playground
- The Concierge Impersonation Proxy should use a service account token from the TokenRequest API HOT 2
- Removing the concierge secret makes ingress-nginx reload fail HOT 2
- Bump "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" version to 0.44.0 HOT 1
- Use non-deprecated mock generator
- [Proposal] Authenticating Users via GitHub
- Feature Request: Improve Pinniped OIDC Auth Experience with Browser Link Option HOT 17
- Allow a volumemount certificate reference to be used by JWTAuthenticator HOT 5
- Cleanup conditions_util and ensure it is thoroughly tested
- TokenCredentialRequestAPI related errors when ImpersonationProxy is being used instead HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pinniped.