OIDC + dex, expected audience \"kubernetes\" got [\"headlamp\"]]"

[matt-deboer]

Description

This not really a bug, just a signpost for others who may hit the same issue. When configuring headlamp with OIDC using dex, and had configured a static client for 'headlamp', which was working successfully. I had another static client configured for 'kubernetes' for use by the apiservers' oidc configuration. When authenticating to headlamp, my user had no permission to list anything.

In examining the kube apiserver logs, I saw the following error:

"Unable to authenticate the request" err="[invalid bearer token, oidc: verify token: oidc: expected audience \"kubernetes\" got [\"headlamp\"]]"

To work around this, I added audience:server:client_id:kubernetes to the -oidc-claims arg specified for the headlamp binary, and added trustedPeers: [ 'headlamp'] to the static client config (in dex) for the 'kubernetes' static client, which resulted in tokens being issued with aud: ['headlamp', 'kubernetes'] which were accepted by the kube apiserver, and then all worked as desired.

I now realize that this also could have worked if the headlamp and the apiserver shared a single static client id in dex, with redirectURIs specified for each (which is maybe what the documentation was trying to say to begin with?)

The only potential fix is maybe more clarification in the docs about these 2 possible configuration scenarios.

[joaquimrocha]

Thanks @matt-deboer ! We shall add the relevant bits to our docs.