b4e99584ce
This commit fills out the JWT "kid" (KeyID) field on most
serviceaccount tokens we create. The KeyID value we use is derived
from the public key of keypair that backs the cluster's OIDC issuer.
OIDC verifiers use the KeyID to smoothly cope with key rotations:
* During a rotation, the verifier will have multiple keys cached
from the issuer, any of which could have signed the token being
verified. KeyIDs let the verifier pick the appropriate key
without having to try each one.
* Seeing a new KeyID is a trigger for the verifier to invalidate its
cached keys and fetch the new set of valid keys from the identity
provider.
The value we use for the KeyID is derived from the identity provider's
public key by serializing it in DER format, taking the SHA256 hash,
and then urlsafe base64-encoding it. This gives a value that is
strongly bound to the key, but can't be reversed to obtain the public
key, which keeps people from being tempted to derive the key from the
key ID and using that for verification.
Tokens based on jose OpaqueSigners are omitted for now --- I don't see
any way to actually run the API server that results in an OpaqueSigner
being used.
|
||
|---|---|---|
| .. | ||
| BUILD | ||
| claims_test.go | ||
| claims.go | ||
| jwt_test.go | ||
| jwt.go | ||
| legacy.go | ||
| OWNERS | ||
| util_test.go | ||
| util.go | ||