New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should have the option to use access_token
instead of id_token
#1083
Labels
enhancement
New feature or request
Comments
adkafka
pushed a commit
to adkafka/kubelogin
that referenced
this issue
Apr 25, 2024
Implements int128#1083. See description there for context.
adkafka
pushed a commit
to adkafka/kubelogin
that referenced
this issue
Apr 25, 2024
Implements int128#1083. See description there for context.
adkafka
pushed a commit
to adkafka/kubelogin
that referenced
this issue
Apr 25, 2024
Implements int128#1083. See description there for context. In its current form, this PR is barebones functionality. I have not yet added any tests to confirm this behavior. But I have validated it locally. Without adding `--oidc-use-access-token`, and `id_token` is successfully returned. Adding `--oidc-use-access-token` results in an `access_token` being successfully returned.
adkafka
pushed a commit
to adkafka/kubelogin
that referenced
this issue
Apr 25, 2024
Implements int128#1083. See description there for context. In its current form, this PR is bare bones functionality. I have not yet added any tests to confirm this behavior. Additionally, we could consider updtating some of the naming. It is confusing to return a `TokenSet` where `IDToken` actually has an `accessToken`. I'm open to feedback on how best to improve this. However, this PR is functional in its current form. I have validated it locally. Without adding `--oidc-use-access-token`, and `id_token` is successfully returned. Adding `--oidc-use-access-token` results in an `access_token` being successfully returned.
adkafka
pushed a commit
to adkafka/kubelogin
that referenced
this issue
Apr 25, 2024
Implements int128#1083. See description there for context. In its current form, this PR is bare bones functionality. I have not yet added any tests to confirm this behavior. Additionally, we could consider updtating some of the naming. It is confusing to return a `TokenSet` where `IDToken` actually has an `accessToken`. I'm open to feedback on how best to improve this. However, this PR is functional. I have validated it locally. Without adding `--oidc-use-access-token`, and `id_token` is successfully returned. Adding `--oidc-use-access-token` results in an `access_token` being successfully returned.
adkafka
changed the title
Should the option to use
Should have the option to use Apr 26, 2024
access_token
instead of id_token
access_token
instead of id_token
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Purpose of the feature (why)
It should be possible to configure this tool to use an
access_token
instead of anid_token
. Many identity providers expose extra claims inaccess_token
s that are not available inid_token
s. One concrete example is thescp
claim in Azure AD that can be used to identify which scopes were requested. In my case, I'm using additional scopes to force the ID provider to trigger MFA, and I'd like to use--oidc-required-claim
server-side to verify that the tokens issued have the necessary extra scope. Similiarly, AzureAD also only exposes theamr
claim on the access token which more directly indicates if the user used MFA, however the values of that are an array, not a string, so I cannot simply use--oidc-required-claim
with that.The kubernetes docs indicate that we should be using the
id_token
, not theaccess_token
, but there is more nuance to that. As an example, see this thread: Why use id tokens instead of access tokens for authorization. I can also share anecdotal data that there are other use cases that have come up in my work where we've had to resort to using theaccess_token
instead of theid_token
in an OIDC flow in order to access the necessary claims. Lastly, the Azure basedkubelogin
tool also uses theaccess_token
, not theid_token
. See logic here.I believe the user of this tool should be able to choose to use
access_token
s instead, assuming they understand these nuances, even though it is not the suggested path according to the official kubernetes docs.Your idea (how)
I suggest adding a new CLI flag to the
get-token
command:--oidc-use-access-token
. This will then return theaccess_token
instead of theid_token
in this method:kubelogin/pkg/oidc/client/client.go
Line 195 in fdcdcc3
pkg/oidc/client/client.go
). See #1084 for the PR.The default behavior will be unchanged (using
id_token
), this new behavior must be opted into.The text was updated successfully, but these errors were encountered: