What is the purpose of the --oidc-client-id parameter when setting Kubernetes up to use OpenID Connect?

kubernetes openid-connect google-openidconnect

This can be explained from the kubernetes documentation on id tokens.

As you can see, identity provider is a separate system. For example this can be MS Azure AD or Google as you have shown.

When you register for a identity provider, you get important things in return. client id is one such important parameter. if you are aware of the openid connect flow, you need to provide this client id when you follow the flow. If the flow is complete, you will return an id token. An id token has one must have claim, aud which is the audience that token was issued for.

When you validate an id token you MUST verify you are in the audience list. More can be found from the spec.

Quoting from specification,

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience

Now, kubernetes uses bearer tokens. Here the tokens used are id tokens. To validate the token it should know specifically the audience. This enables the API server to validate the token is issued for the particular client who made the call. Thus authorising the call to to success.

CodeHunter

What is the purpose of the --oidc-client-id parameter when setting Kubernetes up to use OpenID Connect?

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last