Kubernetes OIDC and Issuer URL Validation

Hi all!

i want to run OIDC authentication with Keycloak on my Kubernetes 1.19 Cluster on AWS EKS.

My problem is that it seems that the API Server makes an issuer url validation and verifies that both issuer url matches.

The documentation only mentions a signature validation. See Authenticating | Kubernetes. Is there a issuer url validation or is it AWS specific?

I’m suspecting kubernetes/verify.go at v1.21.0 · kubernetes/kubernetes · GitHub but i am not sure.

In my case the issuer url in the ID token is different than the issuer url configured on the API server.

Is there any chance i can skip the issuer url validation?

Cheers,
Chris

1 Like