-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add additional OIDC auth resolvers #2020
base: main
Are you sure you want to change the base?
Conversation
The image is available at: |
The image is available at: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for 1.5 only. DO NOT BACKPORT
7a6a377
to
af67218
Compare
@kim-tsao I found this recommendation in the OIDC specs while looking into the "Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used." I've added a check to satisfy this requirement in this PR as well 👍 |
The image is available at: |
8e58de5
to
6ad8b29
Compare
The image is available at: |
Signed-off-by: Jessica He <[email protected]>
c51b5cd
to
b9dba8e
Compare
The image is available at: |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kim-tsao The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
1 similar comment
/retest |
@JessicaJHee: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
Adds the
oidcSubClaimMatchingKeycloakUserId
andoidcSubClaimMatchingPingIdentityUserId
resolvers that resolve based on the more secure,sub
claim from OIDC.Which issue(s) does this PR fix
PR acceptance criteria
Please make sure that the following steps are complete: