oidc: respect the legacy goog issuer

2025-08-08 03:33:56 +00:00 · 2018-09-19 12:16:43 -07:00 · 2018-09-19 12:16:43 -07:00 · 1873ad48d0
commit 1873ad48d0
parent 6eeff3e6c9
2 changed files with 28 additions and 0 deletions
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
@ -342,6 +342,12 @@ func untrustedIssuer(token string) (string, error) {
 	if err := json.Unmarshal(payload, &claims); err != nil {
 		return "", fmt.Errorf("while unmarshaling token: %v", err)
 	}
+	// Coalesce the legacy GoogleIss with the new one.
+	//
+	// http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss
+	if claims.Issuer == "accounts.google.com" {
+		return "https://accounts.google.com", nil
+	}
 	return claims.Issuer, nil
 }

--- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
@ -1365,6 +1365,28 @@ func TestToken(t *testing.T) {
 			},
 			wantInitErr: true,
 		},
+		{
+			name: "accounts.google.com issuer",
+			options: Options{
+				IssuerURL:     "https://accounts.google.com",
+				ClientID:      "my-client",
+				UsernameClaim: "email",
+				now:           func() time.Time { return now },
+			},
+			claims: fmt.Sprintf(`{
+				"iss": "accounts.google.com",
+				"email": "thomas.jefferson@gmail.com",
+				"aud": "my-client",
+				"exp": %d
+			}`, valid.Unix()),
+			signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256),
+			pubKeys: []*jose.JSONWebKey{
+				loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256),
+			},
+			want: &user.DefaultInfo{
+				Name: "thomas.jefferson@gmail.com",
+			},
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, test.run)