github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/staging
History
Kubernetes Submit Queue 9812856088 Merge pull request #45317 from ericchiang/oidc-client-update 
Automatic merge from submit-queue

oidc client plugin: reduce round trips and fix scopes requested

This PR attempts to simplify the OpenID Connect client plugin to
reduce round trips. The steps taken by the client are now:

* If ID Token isn't expired:
   * Do nothing.
* If ID Token is expired:
   * Query /.well-known discovery URL to find token_endpoint.
   * Use an OAuth2 client and refresh token to request new ID token.

This avoids the previous pattern of always initializing a client,
which would hit the /.well-known endpoint several times.

The client no longer does token validation since the server already
does this. As a result, this code no longer imports
github.com/coreos/go-oidc, instead just using golang.org/x/oauth2
for refreshing.

Overall reduction in tests because we're not verify as many things
on the client side. For example, we're no longer validating the
id_token signature (again, because it's being done on the server
side).

This has been manually tested against dex, and I hope to continue
to test this over the 1.7 release cycle.

cc @mlbiam @frodenas @curtisallen @jsloyer @rithujohn191 @philips @kubernetes/sig-auth-pr-reviews 

```release-note
NONE
```

Updates https://github.com/kubernetes/kubernetes/issues/42654
Closes https://github.com/kubernetes/kubernetes/issues/37875
Closes https://github.com/kubernetes/kubernetes/issues/37874
 		2017-05-24 19:49:26 -07:00
..
src/k8s.io Merge pull request #45317 from ericchiang/oidc-client-update 2017-05-24 19:49:26 -07:00
OWNERS Add OWNERS for staging and api 2017-04-19 15:58:09 -04:00
README.md Update staging README to reflect multiple repos 2017-05-12 13:19:50 -07:00
copy.sh remove references to client-go/pkg/api 2017-05-02 17:16:06 -07:00
godeps-json-updater.go Clean up staging/godeps-json-updater.go 2017-04-06 09:32:57 +02:00
prime-apimachinery.sh

README.md

This directory is the staging area for packages that have been split to their own repository. The content here will be periodically published to respective top-level k8s.io repositories.

Most code in the staging/ directory is authoritative, i.e. the only copy of the code. You can directly modify such code. However the packages in staging/src/k8s.io/client-go/pkg are copied from pkg/. If you modify the original code in pkg/, you need to run hack/godep-restore.sh from the k8s root directory, followed by hack/update-staging-client-go.sh. We are working towards making all code in staging/ authoritative.

The vendor/k8s.io directory contains symlinks pointing to this staging area, so to use a package in the staging area, you can import it as k8s.io/<package-name>, as if the package were vendored. Packages will be vendored from k8s.io/<package-name> for real after the test matrix is converted to vendor k8s components.