Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow OIDC flow to ignore aud claim for a specific issuer #20829

Closed
2 tasks done
zzzz465 opened this issue Jul 18, 2023 · 0 comments
Closed
2 tasks done

Allow OIDC flow to ignore aud claim for a specific issuer #20829

zzzz465 opened this issue Jul 18, 2023 · 0 comments
Labels
type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages

Comments

@zzzz465
Copy link

zzzz465 commented Jul 18, 2023

Search before asking

  • I searched in the issues and found nothing similar.

Motivation

I'm using apache pulsar 3.0.0 and using OIDC authentication flow. when using ServiceAccount as a OIDC token, the token projected to a Secret isn't same as token that is projected to a pod.

{
  "header": {
    "alg": "RS256",
    "kid": "<kid>"
  },
  "payload": {
    "iss": "kubernetes/serviceaccount",
    "kubernetes.io/serviceaccount/namespace": "test-pulsar-resources",
    "kubernetes.io/serviceaccount/secret.name": "pulsar-connection-secret",
    "kubernetes.io/serviceaccount/service-account.name": "default",
    "kubernetes.io/serviceaccount/service-account.uid": "3df0c728-6810-4162-b9c7-ab9308cbe60c",
    "sub": "system:serviceaccount:test-pulsar-resources:default"
  },
  "signature": "<sig>"
}

the above is a decoded jwt token from the Secret projected service account token.
as you see, there's no aud claim, and the iss claim is different compared to the issuer we get from the k8s api OIDC endpoint.

Solution

to avoid this issue, we need a option to ignore aud claim check for specific allowed issuers.

Alternatives

currently I'm using custom auth class to avoid the issue.

Anything else?

related: streamnative/pulsar-resources-operator#125

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@zzzz465 zzzz465 added the type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages label Jul 18, 2023
@zzzz465 zzzz465 changed the title Allow OIDC flow to ignore aud field for a specific issuer Allow OIDC flow to ignore aud claim for a specific issuer Jul 18, 2023
@zzzz465 zzzz465 closed this as completed Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zzzz465