mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-28 14:07:14 +00:00
authn: add Audiences to TokenReview
This commit is contained in:
parent
3ea3cfc3be
commit
04837fdef1
@ -59,6 +59,12 @@ type TokenReview struct {
|
||||
type TokenReviewSpec struct {
|
||||
// Token is the opaque bearer token.
|
||||
Token string
|
||||
// Audiences is a list of the identifiers that the resource server presented
|
||||
// with the token identifies as. Audience-aware token authenticators will
|
||||
// verify that the token was intended for at least one of the audiences in
|
||||
// this list. If no audiences are provided, the audience will default to the
|
||||
// audience of the Kubernetes apiserver.
|
||||
Audiences []string
|
||||
}
|
||||
|
||||
// TokenReviewStatus is the result of the token authentication request.
|
||||
@ -68,6 +74,16 @@ type TokenReviewStatus struct {
|
||||
Authenticated bool
|
||||
// User is the UserInfo associated with the provided token.
|
||||
User UserInfo
|
||||
// Audiences are audience identifiers chosen by the authenticator that are
|
||||
// compatible with both the TokenReview and token. An identifier is any
|
||||
// identifier in the intersection of the TokenReviewSpec audiences and the
|
||||
// token's audiences. A client of the TokenReview API that sets the
|
||||
// spec.audiences field should validate that a compatible audience identifier
|
||||
// is returned in the status.audiences field to ensure that the TokenReview
|
||||
// server is audience aware. If a TokenReview returns an empty
|
||||
// status.audience field where status.authenticated is "true", the token is
|
||||
// valid against the audience of the Kubernetes API server.
|
||||
Audiences []string
|
||||
// Error indicates that the token couldn't be checked
|
||||
Error string
|
||||
}
|
||||
|
@ -64,6 +64,13 @@ type TokenReviewSpec struct {
|
||||
// Token is the opaque bearer token.
|
||||
// +optional
|
||||
Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
|
||||
// Audiences is a list of the identifiers that the resource server presented
|
||||
// with the token identifies as. Audience-aware token authenticators will
|
||||
// verify that the token was intended for at least one of the audiences in
|
||||
// this list. If no audiences are provided, the audience will default to the
|
||||
// audience of the Kubernetes apiserver.
|
||||
// +optional
|
||||
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,2,rep,name=audiences"`
|
||||
}
|
||||
|
||||
// TokenReviewStatus is the result of the token authentication request.
|
||||
@ -74,6 +81,17 @@ type TokenReviewStatus struct {
|
||||
// User is the UserInfo associated with the provided token.
|
||||
// +optional
|
||||
User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
|
||||
// Audiences are audience identifiers chosen by the authenticator that are
|
||||
// compatible with both the TokenReview and token. An identifier is any
|
||||
// identifier in the intersection of the TokenReviewSpec audiences and the
|
||||
// token's audiences. A client of the TokenReview API that sets the
|
||||
// spec.audiences field should validate that a compatible audience identifier
|
||||
// is returned in the status.audiences field to ensure that the TokenReview
|
||||
// server is audience aware. If a TokenReview returns an empty
|
||||
// status.audience field where status.authenticated is "true", the token is
|
||||
// valid against the audience of the Kubernetes API server.
|
||||
// +optional
|
||||
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,4,rep,name=audiences"`
|
||||
// Error indicates that the token couldn't be checked
|
||||
// +optional
|
||||
Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`
|
||||
|
@ -48,6 +48,13 @@ type TokenReviewSpec struct {
|
||||
// Token is the opaque bearer token.
|
||||
// +optional
|
||||
Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
|
||||
// Audiences is a list of the identifiers that the resource server presented
|
||||
// with the token identifies as. Audience-aware token authenticators will
|
||||
// verify that the token was intended for at least one of the audiences in
|
||||
// this list. If no audiences are provided, the audience will default to the
|
||||
// audience of the Kubernetes apiserver.
|
||||
// +optional
|
||||
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,2,rep,name=audiences"`
|
||||
}
|
||||
|
||||
// TokenReviewStatus is the result of the token authentication request.
|
||||
@ -58,6 +65,17 @@ type TokenReviewStatus struct {
|
||||
// User is the UserInfo associated with the provided token.
|
||||
// +optional
|
||||
User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
|
||||
// Audiences are audience identifiers chosen by the authenticator that are
|
||||
// compatible with both the TokenReview and token. An identifier is any
|
||||
// identifier in the intersection of the TokenReviewSpec audiences and the
|
||||
// token's audiences. A client of the TokenReview API that sets the
|
||||
// spec.audiences field should validate that a compatible audience identifier
|
||||
// is returned in the status.audiences field to ensure that the TokenReview
|
||||
// server is audience aware. If a TokenReview returns an empty
|
||||
// status.audience field where status.authenticated is "true", the token is
|
||||
// valid against the audience of the Kubernetes API server.
|
||||
// +optional
|
||||
Audiences []string `json:"audiences,omitempty" protobuf:"bytes,4,rep,name=audiences"`
|
||||
// Error indicates that the token couldn't be checked
|
||||
// +optional
|
||||
Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`
|
||||
|
Loading…
Reference in New Issue
Block a user