authn: add Audiences to TokenReview

This commit is contained in:
Mike Danese 2018-04-17 07:53:05 -07:00
parent 3ea3cfc3be
commit 04837fdef1
3 changed files with 52 additions and 0 deletions

View File

@ -59,6 +59,12 @@ type TokenReview struct {
type TokenReviewSpec struct {
// Token is the opaque bearer token.
Token string
// Audiences is a list of the identifiers that the resource server presented
// with the token identifies as. Audience-aware token authenticators will
// verify that the token was intended for at least one of the audiences in
// this list. If no audiences are provided, the audience will default to the
// audience of the Kubernetes apiserver.
Audiences []string
}
// TokenReviewStatus is the result of the token authentication request.
@ -68,6 +74,16 @@ type TokenReviewStatus struct {
Authenticated bool
// User is the UserInfo associated with the provided token.
User UserInfo
// Audiences are audience identifiers chosen by the authenticator that are
// compatible with both the TokenReview and token. An identifier is any
// identifier in the intersection of the TokenReviewSpec audiences and the
// token's audiences. A client of the TokenReview API that sets the
// spec.audiences field should validate that a compatible audience identifier
// is returned in the status.audiences field to ensure that the TokenReview
// server is audience aware. If a TokenReview returns an empty
// status.audience field where status.authenticated is "true", the token is
// valid against the audience of the Kubernetes API server.
Audiences []string
// Error indicates that the token couldn't be checked
Error string
}

View File

@ -64,6 +64,13 @@ type TokenReviewSpec struct {
// Token is the opaque bearer token.
// +optional
Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
// Audiences is a list of the identifiers that the resource server presented
// with the token identifies as. Audience-aware token authenticators will
// verify that the token was intended for at least one of the audiences in
// this list. If no audiences are provided, the audience will default to the
// audience of the Kubernetes apiserver.
// +optional
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,2,rep,name=audiences"`
}
// TokenReviewStatus is the result of the token authentication request.
@ -74,6 +81,17 @@ type TokenReviewStatus struct {
// User is the UserInfo associated with the provided token.
// +optional
User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
// Audiences are audience identifiers chosen by the authenticator that are
// compatible with both the TokenReview and token. An identifier is any
// identifier in the intersection of the TokenReviewSpec audiences and the
// token's audiences. A client of the TokenReview API that sets the
// spec.audiences field should validate that a compatible audience identifier
// is returned in the status.audiences field to ensure that the TokenReview
// server is audience aware. If a TokenReview returns an empty
// status.audience field where status.authenticated is "true", the token is
// valid against the audience of the Kubernetes API server.
// +optional
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,4,rep,name=audiences"`
// Error indicates that the token couldn't be checked
// +optional
Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`

View File

@ -48,6 +48,13 @@ type TokenReviewSpec struct {
// Token is the opaque bearer token.
// +optional
Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
// Audiences is a list of the identifiers that the resource server presented
// with the token identifies as. Audience-aware token authenticators will
// verify that the token was intended for at least one of the audiences in
// this list. If no audiences are provided, the audience will default to the
// audience of the Kubernetes apiserver.
// +optional
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,2,rep,name=audiences"`
}
// TokenReviewStatus is the result of the token authentication request.
@ -58,6 +65,17 @@ type TokenReviewStatus struct {
// User is the UserInfo associated with the provided token.
// +optional
User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
// Audiences are audience identifiers chosen by the authenticator that are
// compatible with both the TokenReview and token. An identifier is any
// identifier in the intersection of the TokenReviewSpec audiences and the
// token's audiences. A client of the TokenReview API that sets the
// spec.audiences field should validate that a compatible audience identifier
// is returned in the status.audiences field to ensure that the TokenReview
// server is audience aware. If a TokenReview returns an empty
// status.audience field where status.authenticated is "true", the token is
// valid against the audience of the Kubernetes API server.
// +optional
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,4,rep,name=audiences"`
// Error indicates that the token couldn't be checked
// +optional
Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`