negz
Consider adding a way to see the TokenReview objects
CoreOS's tectonic product's dashboard has a nice feature for troubleshooting which shows the TokenReview resource for an authenticated user. This shows the groups a user is a member of and makes it a bit nicer to setup RoleBinding and ClusterRoleBindings
{
"kind": "TokenReview",
"apiVersion": "authentication.k8s.io/v1beta1",
"metadata": {
"creationTimestamp": null
},
"status": {
"authenticated": true,
"user": {
"username": "jschroeder@[CENSORED]",
"groups": [
"admins",
"linux-core",
"system:authenticated"
]
}
}
}
It would be nice if kuberos had some way to show something similar, or just decode the jwt token, which shows pretty much the same info.
The reason why I'm asking for this is because I didn't configure the --extra-scopes=groups and spent entirely too much time realizing that the groups scope wasn't even included. Feel free to close this ticket if you think that is out of scope, but some way to sensibly help dumb users (like me!) would be nice.
I don't think a TokenReview object is involved when doing OIDC authentication (but I could be wrong - I don't actually use OIDC from day to day anymore). That said, we might be able extract the info you're after and debug log them without too much effort.
In troubleshooting my own misconfiguration of kuberos (I wasn't requesting groups as an extra scope), I found that you can decode the id token at https://jwt.io. It shows the full decoded token along with any claims. Perhaps that would suffice, or a human friendly version of that? It seems super useful for user debugging.
Just checking in. I haven't had time to look at this, but my current plan when I do is to decode the JWT per your suggestion and log it.