Open ID Connect (OIDC) builds on OAuth
User authenticates with OIDC provider
and receives token
User presents token to service
Service validates token
and authorizes access
OIDC providers include: Keycloak , Dex , GitLab
Use OIDC provider to authenticate
Authorize access to resources
{
"iss": "https://gitlab.com",
"sub": "REDACTED",
"aud": "REDACTED",
"exp": REDACTED,
"iat": REDACTED,
"nonce": "REDACTED",
"auth_time": REDACTED,
"sub_legacy": "REDACTED",
"name": "Nicholas Dille",
"nickname": "nicholasdille",
"preferred_username": "nicholasdille",
"website": "https://dille.name",
"profile": "REDACTED",
"picture": "REDACTED",
"groups_direct": [
"k8s-oidc-demo"
]
}
Token contains claims useful for authorization
Claims are generated from…
Token owner preferred_username
is mapped to a Kubernetes User
Each claim from groups_direct
is mapped to a Kubernetes Group
Use kubelogin to avoid token in kubeconfig