kubelogin icon indicating copy to clipboard operation
kubelogin copied to clipboard

Published 20 hours ago verified publisher icon int128

Understand the "get certificate" step in the diagram

Open tz-torchai opened this issue 3 years ago • 1 comments

Describe the question

Thanks so much for this wonderful and convenient tool.

I understand all other steps in the diagram but step 12 and step 13. What will kube-apiserver do after receiving the request with token? Could anyone explain to me about that? Thanks in advance!

tz-torchai avatar May 13 '22 05:05 tz-torchai

When Kubernetes API server received an ID token (JWT) from kubectl, it verifies the signature of token against the issuer certificate.

See the doc for details.

  1. The API server will make sure the JWT signature is valid by checking against the certificate named in the configuration https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

If you are interesting in OpenID Connect, see also this doc.

The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

int128 avatar Jul 16 '22 11:07 int128