weave-gitops icon indicating copy to clipboard operation
weave-gitops copied to clipboard

Published 20 hours ago verified publisher icon weaveworks

Passthrough token

Open bigkevmcd opened this issue 2 years ago • 0 comments

Closes: enterprise/1029

What changed? This adds a slightly different OIDC JWT Passthrough, that extracts the token, verifies it by extracting it, but passes it onto the upstream Kubernetes, rather than impersonating

It also makes the Token on the Principal harder to leak (by making it a *string)

Why was this change made? A customer has asked for this specific behaviour.

They appreciate that this will not work if they have multiple client secrets across different clusters and apparently they are sharing the same one across all clusters just now.

How was this change implemented? When OIDC is enabled and the feature flag is enabled, this feature is enabled.

You will need only the oidc method enabled, and WEAVE_GITOPS_FEATURE_OIDC_AUTH_PASSTHROUGH feature enabled for now.

How did you validate the change?

Release notes

Documentation Changes

bigkevmcd avatar Aug 18 '22 13:08 bigkevmcd