claims from id_token are not passed to k8s cluster
SnehaMore20 opened this issue · 0 comments
SnehaMore20 commented
I have deployed kube-oidc-proxy and authenticating using Keycloak into our K8s cluster. But I have observed that kube-oidc-proxy takes claims only from refresh_token and not from id_token.
e.g
refresh_token given below
{
"aud": "https://keycloak.example.com/auth/realms/test",
"azp": "k8s",
"exp": 1611054882,
"iat": 1611053082,
"iss": "https://keycloak.example.com/auth/realms/test",
"jti": "*",
"scope": "openid profile email",
"session_state": "*",
"sub": "*",
"typ": "Refresh"
}
id_token given below
{
"acr": "1",
"aud": "k8s",
"auth_time": 0,
"azp": "k8s",
"email": "test@example.com",
"email_verified": false,
"exp": 1611052668,
"family_name": "test",
"given_name": "",
"groups": [
"/test1",
"/test2"
],
"iat": 1611052368,
"iss": "https://keycloak.example.com/auth/realms/test",
"jti": "*",
"name": "test",
"preferred_username": "test",
"session_state": "*",
"sub": "*",
"typ": "ID"
}
when i pass "--oidc-username-claim=sub" to kube-oidc-proxy , it works and authenticates correctly.
but when i pass "--oidc-username-claim=email" to kube-oidc-proxy, logs throws error:
1 handlers.go:169] unauthenticated user request 10.12.12.192:51378
and kubectl throws error:
error: You must be logged in to the server (the server has asked for the client to provide credentials)
So basically I am not able to use claims from id_token.
Is there any way I can user claims from id_token?