package oidc

import "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"

oidc implements the authenticator.Token interface using the OpenID Connect protocol. 

config := oidc.Options{
	IssuerURL:     "https://accounts.google.com",
	ClientID:      os.Getenv("GOOGLE_CLIENT_ID"),
	UsernameClaim: "email",
}
tokenAuthenticator, err := oidc.New(config)

Index

Functions

func AllValidSigningAlgorithms 

func AllValidSigningAlgorithms() []string

func DeleteJWKSFetchMetrics 

func DeleteJWKSFetchMetrics(jwtIssuer, apiServerID string)

DeleteJWKSFetchMetrics deletes all JWKS-related metrics for a specific issuer and API server. This includes the hash metric and timestamp metrics (both success and failure). This should be called when an issuer is removed from the configuration to clean up stale metrics.

func RegisterMetrics 

func RegisterMetrics()

func ResetMetrics 

func ResetMetrics()

Types

type AuthenticatorTokenWithHealthCheck 

type AuthenticatorTokenWithHealthCheck interface {
	authenticator.Token
	HealthCheck() error
}

func New 

func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHealthCheck, error)

New returns an authenticator that is asynchronously initialized when opts.KeySet is not set. The input lifecycleCtx is used to: - terminate background goroutines that are needed for asynchronous initialization - as the base context for any requests that are made (i.e. for key fetching) Thus, once the lifecycleCtx is canceled, the authenticator must not be used. A caller may check if the authenticator is healthy by calling the HealthCheck method.

type CAContentProvider 

type CAContentProvider interface {
	CurrentCABundleContent() []byte
}

Subset of dynamiccertificates.CAContentProvider that can be used to dynamically load root CAs.

type Options 

type Options struct {
	// JWTAuthenticator is the authenticator that will be used to verify the JWT.
	JWTAuthenticator apiserver.JWTAuthenticator

	// Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer.
	// Mutually exclusive with JWTAuthenticator.Issuer.DiscoveryURL.
	//
	// The following API server metrics for fetching JWKS and provider status will not be recorded if this is set.
	//  - apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds
	//  - apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info
	KeySet oidc.KeySet

	// PEM encoded root certificate contents of the provider.  Mutually exclusive with Client.
	CAContentProvider CAContentProvider

	// EgressLookup allows for optional opt-in egress configuration via a custom dialer.  Mutually exclusive with Client.
	EgressLookup egressselector.Lookup

	// Optional http.Client used to make all requests to the remote issuer.  Mutually exclusive with CAContentProvider and EgressLookup.
	Client *http.Client

	// Optional CEL compiler used to compile the CEL expressions. This is useful to use a shared instance
	// of the compiler as these compilers holding a CEL environment are expensive to create. If not provided,
	// a default compiler will be created.
	// Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
	Compiler authenticationcel.Compiler

	// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
	// can be used by the provider to sign tokens.
	//
	// https://tools.ietf.org/html/rfc7518#section-3.1
	//
	// This value defaults to RS256, the value recommended by the OpenID Connect
	// spec:
	//
	// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
	SupportedSigningAlgs []string

	DisallowedIssuers []string

	// APIServerID is the ID of the API server
	// This is used in metrics to identify the API server
	APIServerID string
	// contains filtered or unexported fields
}

Source Files

metrics.go oidc.go

Version
v0.36.0 (latest)
Published
Apr 22, 2026
Platform
linux/amd64
Imports
41 packages
Last checked
4 days ago

Tools for package owners.