Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure OIDC authentication using an OIDC discovery URL #2921

Open
aceat64 opened this issue Dec 9, 2022 · 4 comments
Open

Configure OIDC authentication using an OIDC discovery URL #2921

aceat64 opened this issue Dec 9, 2022 · 4 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@aceat64
Copy link

aceat64 commented Dec 9, 2022

Is your feature request related to a problem?
No, this is an enhancement.

Describe the solution you'd like
Being able to use a single OpenID Connect Discovery endpoint in the alb.ingress.kubernetes.io/auth-idp-oidc annotation, instead of having to specify multiple OIDC configuration fields.

This would greatly simplify configuration of OIDC authentication when using an IdP that supports discovery (e.g. Keycloak, Okta, etc).

Currently the annotation has to specify a number of fields, this is the example from the docs:

alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://example.com","authorizationEndpoint":"https://authorization.example.com","tokenEndpoint":"https://token.example.com","userInfoEndpoint":"https://userinfo.example.com","secretName":"my-k8s-secret"}'

This could be simplified, for example:

alb.ingress.kubernetes.io/auth-idp-oidc: '{"discoveryEndpoint":"https://authorization.example.com","secretName":"my-k8s-secret"}'

The issuer, authorizationEndpoint, tokenEndpoint, and userInfoEndpoint can all be retrieved from the JSON object served by the discovery endpoint.

Describe alternatives you've considered
Not applicable? I currently use the annotation as documented, this would be a further enhancement.

References
https://swagger.io/docs/specification/authentication/openid-connect-discovery/
https://openid.net/specs/openid-connect-discovery-1_0.html
@kishorj
Copy link
Collaborator

kishorj commented Dec 14, 2022

/kind feature

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 14, 2022
@kishorj kishorj added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Dec 14, 2022
tan-i-ham added a commit to tan-i-ham/aws-load-balancer-controller that referenced this issue Dec 29, 2022
@tan-i-ham
feat(kubernetes-sigs#2921): Use an OIDC discovery URL
5ec07d7 
Implement OIDC discovery URL to config
@tan-i-ham
Copy link

/assign

@tan-i-ham tan-i-ham removed their assignment Feb 28, 2024
@omerap12
Copy link
Member

/assign

@omerap12 omerap12 mentioned this issue Jun 15, 2024
Closed
6 tasks
@omerap12
Copy link
Member

if anyone wants to pick this up: #3747

@omerap12 omerap12 removed their assignment Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aceat64 @kishorj @tan-i-ham @k8s-ci-robot @omerap12