Skip to content
This repository has been archived by the owner on May 17, 2024. It is now read-only.

Latest commit

 

History

History
24 lines (19 loc) · 1002 Bytes

token-passthrough.md

File metadata and controls

24 lines (19 loc) · 1002 Bytes

Token Passthrough

kube-oidc-proxy can be configured to enable 'token passthrough' for tokens that fail OIDC authentication. If enabled, kube-oidc-proxy will perform a token review API call to the configured target backend using the Kubernetes API. If successful, the request will be passed through as-is, with the token intact in the request and no other authentication used by kube-oidc-proxy.

To enable token passthrough, include the following flag:

--token-passthrough

In the case of the Kubernetes API server, the authenticator, if audience aware, will validate the audiences of tokens using the audience of the API server. A new set of audiences can also be given which will be used to validate the token against. At least one of these audiences need to be present in the audiences of the token to be successful:

---token-passthrough-audiences=aud1.foo.bar,aud2.foo.bar