From 48f7f6fb676eac9dca3332ad73b9321638fc7c69 Mon Sep 17 00:00:00 2001 From: Charles Eckman Date: Mon, 28 Jan 2019 15:27:02 -0800 Subject: [PATCH] Fix typo, and note when BoundObjectRef isn't checked - s/objet/object/ - A relying party (validating a token) may not have access to the resource named in the `BoundObjectRef`; only the API server can be asserted to have access. Note this in the field's documentation. --- pkg/apis/authentication/types.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/apis/authentication/types.go b/pkg/apis/authentication/types.go index 203bf22bb34..a33dfe98985 100644 --- a/pkg/apis/authentication/types.go +++ b/pkg/apis/authentication/types.go @@ -135,7 +135,9 @@ type TokenRequestSpec struct { ExpirationSeconds int64 // BoundObjectRef is a reference to an object that the token will be bound to. - // The token will only be valid for as long as the bound objet exists. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server will validate the BoundObjectRef, but other audiences + // may not. Keep ExpirationSeconds small if you want prompt revocation. BoundObjectRef *BoundObjectReference }