aws-load-balancer-controller
aws-load-balancer-controller copied to clipboard
kubernetes-sigs
Configure OIDC authentication using an OIDC discovery URL
Is your feature request related to a problem? No, this is an enhancement.
Describe the solution you'd like
Being able to use a single OpenID Connect Discovery endpoint in the alb.ingress.kubernetes.io/auth-idp-oidc annotation, instead of having to specify multiple OIDC configuration fields.
This would greatly simplify configuration of OIDC authentication when using an IdP that supports discovery (e.g. Keycloak, Okta, etc).
Currently the annotation has to specify a number of fields, this is the example from the docs:
alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://example.com","authorizationEndpoint":"https://authorization.example.com","tokenEndpoint":"https://token.example.com","userInfoEndpoint":"https://userinfo.example.com","secretName":"my-k8s-secret"}'
This could be simplified, for example:
alb.ingress.kubernetes.io/auth-idp-oidc: '{"discoveryEndpoint":"https://authorization.example.com","secretName":"my-k8s-secret"}'
The issuer, authorizationEndpoint, tokenEndpoint, and userInfoEndpoint can all be retrieved from the JSON object served by the discovery endpoint.
Describe alternatives you've considered Not applicable? I currently use the annotation as documented, this would be a further enhancement.
References https://swagger.io/docs/specification/authentication/openid-connect-discovery/ https://openid.net/specs/openid-connect-discovery-1_0.html
