'Hitting OIDC endpoint /.well-known/openid-configuration from outside cluster results in 401 Unauthorized

Using kOps to deploy a kubernetes cluster to AWS, I'm trying to configure an external Hashicorp Vault to use JWT/OIDC auth. Following the tutorial at https://www.vaultproject.io/docs/auth/jwt/oidc_providers#kubernetes, from the vault, I try to issue:

vault write auth/jwt/config oidc_discovery_url="${ISSUER}" [email protected]

But it comes back with a 401/Unauthorized. Prior to this on the kubernetes cluster I did:

kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated

To supposedly ensure that the OIDC discovery URLs do not require authentication.

From the external vault machine, I simply try to:

curl --cacert ca.crt $ISSUER/.well-known/openid-configuration

And I also get a 401/Unauthorized. It is reaching the server OK so it's not a cert issue or anything, just something to do with the kubernetes/API configuration.

Additionally I changed the kOps deployment to supposedly AlwaysAllow API calls with:

apiVersion: kops.k8s.io/v1alpha2
kind:Cluster
spec:
  api:
    dns: { }
  authorization:
    alwaysAllow: { }

But this didn't make any differene.

Does anyone have an idea of what I could be missing?

I can otherwise create a kubectl proxy and hit the endpoint from there just fine.

kubernetesopenid-connecthashicorp-vaultkopskubernetes-apiserver


Solution 1:[1]

You may want to enable OIDC discovery from kOps. This puts the OIDC discovery files in S3 rather than serving them from an authenticated endpoint on the APIServer:

spec:
  serviceAccountIssuerDiscovery:
    discoveryStore: s3://publicly-readable-store

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ole Markus With

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

What is the best approach to logout from keycloak after authentication via pkce?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code

What are the default Lifetime values for openiddict tokens

Web API with Microsoft Identity Platform Authentication

RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC

Blazor WebAssembly Hosted on IIS - only API is working

OpenIdConnectProtocolValidator - nonce error

Logout from Keycloak does not logout Active Directory User

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

How to configure Keycloak to work with Guacamole's OpenID plugin?

Web App SPA & OIDC: How to properly authenticate before accessing the front?

Null Reference Exception when calling GraphServiceClient from a .net core Razor application that uses OpenIdConnect