diff --git a/pkg/apis/apiserver/v1alpha1/types.go b/pkg/apis/apiserver/v1alpha1/types.go index 74b1aa002..be9a67ef5 100644 --- a/pkg/apis/apiserver/v1alpha1/types.go +++ b/pkg/apis/apiserver/v1alpha1/types.go @@ -176,6 +176,14 @@ type AuthenticationConfiguration struct { // authenticators is neither defined nor stable across releases. Since // each JWT authenticator must have a unique issuer URL, at most one // JWT authenticator will attempt to cryptographically validate the token. + // + // The minimum valid JWT payload must contain the following claims: + // { + // "iss": "https://issuer.example.com", + // "aud": ["audience"], + // "exp": 1234567890, + // "": "username" + // } JWT []JWTAuthenticator `json:"jwt"` } diff --git a/plugin/pkg/authenticator/token/oidc/oidc_test.go b/plugin/pkg/authenticator/token/oidc/oidc_test.go index 55184ff99..92c848076 100644 --- a/plugin/pkg/authenticator/token/oidc/oidc_test.go +++ b/plugin/pkg/authenticator/token/oidc/oidc_test.go @@ -2953,6 +2953,38 @@ func TestToken(t *testing.T) { }`, valid.Unix()), want: &user.DefaultInfo{}, }, + // test to assert the minimum valid jwt payload + // the required claims are iss, aud, exp and (in this case user). + { + name: "minimum valid jwt payload", + options: Options{ + JWTAuthenticator: apiserver.JWTAuthenticator{ + Issuer: apiserver.Issuer{ + URL: "https://auth.example.com", + Audiences: []string{"my-client"}, + }, + ClaimMappings: apiserver.ClaimMappings{ + Username: apiserver.PrefixedClaimOrExpression{ + Expression: "claims.user", + }, + }, + }, + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "user": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + }, + }, } for _, test := range tests { t.Run(test.name, test.run)