Open ID Connect

Open ID Connect

Open ID Connect (OIDC) builds on OAuth

  1. User authenticates with OIDC provider
    and receives token

  2. User presents token to service

  3. Service validates token
    and authorizes access

OIDC providers include: Keycloak , Dex , GitLab

Kubernetes

Use OIDC provider to authenticate

Authorize access to resources


Internals

{
  "iss": "https://gitlab.com",
  "sub": "REDACTED",
  "aud": "REDACTED",
  "exp": REDACTED,
  "iat": REDACTED,
  "nonce": "REDACTED",
  "auth_time": REDACTED,
  "sub_legacy": "REDACTED",
  "name": "Nicholas Dille",
  "nickname": "nicholasdille",
  "preferred_username": "nicholasdille",
  "website": "https://dille.name",
  "profile": "REDACTED",
  "picture": "REDACTED",
  "groups_direct": [
    "k8s-oidc-demo"
  ]
}

Token contains claims useful for authorization

Claims are generated from…

Token owner preferred_username is mapped to a Kubernetes User

Each claim from groups_direct is mapped to a Kubernetes Group

Use kubelogin to avoid token in kubeconfig

Demo