Merge pull request #58752 from puja108/patch-1

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Updated Readme for Azure (OIDC) auth provider **What this PR does / why we need it**: When trying this documentation in the field, I ran into some issues based on details missing here. I got it working in the end with some help from @stuartleeks from Microsoft, this PR is to help others trying to set this up not have the same question marks I had. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: None AFAIK **Special notes for your reviewer**: Includes: * Added details and clarifications based on my experience * Some minor copy editing Not sure if this requires release notes, I consider it a very small change. **Release note**: ```release-note NONE ``` Kubernetes-commit: 99e77a76be66ce300ead09d1fe1e6300dc274d6d
2025-06-25 06:31:35 +00:00 · 2018-04-11 05:23:36 -07:00 · 2018-04-11 05:23:36 -07:00 · dd92f6b113
commit dd92f6b113
parent 94b05e5087 dcdb23334e
2 changed files with 63 additions and 61 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -360,215 +360,215 @@
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/equality",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/errors",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/meta",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/resource",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/fuzzer",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/roundtrip",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/announced",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/registered",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1beta1",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/fields",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/labels",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/schema",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/selection",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/types",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/cache",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/clock",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/diff",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/errors",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/framer",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/intstr",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/json",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/net",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/remotecommand",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/runtime",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/sets",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation/field",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/wait",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/yaml",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/version",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/watch",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect",
-			"Rev": "5d4f0da8e5fde7cbadf8ab3ce5cfb76f86dd854e"
+			"Rev": "895b82eadff27f5a6b19d80628a04645823c1e46"
 		},
 		{
 			"ImportPath": "k8s.io/kube-openapi/pkg/util/proto",
--- a/plugin/pkg/client/auth/azure/README.md
+++ b/plugin/pkg/client/auth/azure/README.md
@ -1,15 +1,14 @@
 # Azure Active Directory plugin for client authentication

-This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and stored them in the kubectl configuration. In addition it will refresh and update the tokens in configuration when expired.
-
+This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired.

 ## Usage

-1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration)
+1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL does not matter (just cannot be empty).

-2. Create a second Azure Active Directory native application for `kubectl` 
+2. Create a second Azure Active Directory native application for `kubectl`. The callback URL does not matter (just cannot be empty).

-3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes
+3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes.

 4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options

@ -21,8 +20,9 @@ This plugin provides an integration with Azure Active Directory device flow. If

   * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application
   * Replace `TENANT_ID` with your tenant ID.
+   * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`.

-5. Configure the `kubectl` to use the `azure` authentication provider 
+5. Configure `kubectl` to use the `azure` authentication provider 

   ```
   kubectl config set-credentials "USER_NAME" --auth-provider=azure \
@ -36,6 +36,7 @@ This plugin provides an integration with Azure Active Directory device flow. If
   * Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID
   * Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID
   * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID
+   * Be sure to also (create and) select a context that uses above user

 6. The access token is acquired when first `kubectl` command is executed

@ -45,4 +46,5 @@ This plugin provides an integration with Azure Active Directory device flow. If
   To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate.
   ```

-   * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands.
+   * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands.
+   * The resulting username in Kubernetes depends on your [configuration of the `--oidc-username-claim` and `--oidc-username-prefix` flags on the API server](https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server). If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC.