Is Pinniped working with unverified e-mails from our OIDC?

[junoriosity]

I deployed kubeapps with

kubectl apply -f https://get.pinniped.dev/v0.13.0/install-pinniped-concierge-crds.yaml
kubectl apply -f https://get.pinniped.dev/v0.13.0/install-pinniped-concierge-resources.yaml

cat <<EOF | kubectl apply -f -
kind: JWTAuthenticator
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
metadata:
  name: jwt-authenticator
spec:
  issuer: https://my-auth.eu.auth0.com/
  audience: my-client-id
  claims:
    groups: groups
    username: email
EOF

cat <<EOF | kubectl apply -f -
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubeapps-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: test@test.com
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: kubeapps-operators
EOF

kubectl create ns kubeapps
helm install kubeapps bitnami/kubeapps --namespace kubeapps -f myvals.yaml 

where myvals.yaml is

useHelm3: true
authProxy:
  additionalFlags:
    - --oidc-issuer-url=https://my-domain.eu.auth0.com
    - --insecure-oidc-allow-unverified-email=true
  clientID: my-client-id
  clientSecret: my-client-secret
  cookieSecret: bm90LWdvb2Qtc2VjcmV0Cg==
  enabled: true
  provider: oidc

pinnipedProxy:
  enabled: true # if using Pinniped, you'll need to enable this option here
#  defaultAuthenticatorType: jwt
#  defaultAuthenticatorName: jwt-authenticator

clusters:
  - name: default
    apiServiceURL: https://... # impersonation proxy URL
    certificateAuthorityData: ... #  impersonation proxy CA
    pinnipedConfig:
      enabled: true

Now, when I try to login with a verified e-mail address things are usual - and desired.

If I use an unverified, however, I am immediately forwarded to the login page

The logs say the following for pinniped-proxy

INFO pinniped_proxy::service > GET https://my-k8s-url/ 401 Unauthorized
ERROR pinniped_proxy::service > Unauthorized by pinniped: authentication failed

Caused by:
authentication failed

and the auth-proxy says

...
10.244.0.238:46912 - 82bb7643658afb8467e7e5d1c7e8212d - test4@test.com [2022/02/22 13:53:40] kubeapps.my-domain.com GET / "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 304 0 0.002
10.244.0.238:46912 - 15b1691c72f0417f4d788b879b63d0fc - test4@test.com [2022/02/22 13:53:41] kubeapps.my-domain.com GET / "/custom_locale.json" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 200 2 0.002
10.244.0.238:46912 - 93d859119e308d2c5bcb826f2fc7600d - test4@test.com [2022/02/22 13:53:41] kubeapps.my-domain.com GET / "/custom_style.css" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 200 0 0.004
10.244.0.238:46912 - 86cb93454c5270f4bcbfc748a580ad44 - test4@test.com [2022/02/22 13:53:44] [AuthSuccess] Authenticated via OAuth2: Session{email:test4@test.com user:auth0|6214ead41f466500695785e2 PreferredUsername: token:true id_token:true created:2022-02-22 13:53:44.038554151 +0000 UTC m=+338.782961718 expires:2022-02-23 13:53:44.03808447 +0000 UTC m=+86738.782492059}
10.244.0.238:46912 - 86cb93454c5270f4bcbfc748a580ad44 - - [2022/02/22 13:53:43] kubeapps.my-domain.com GET - "/oauth2/callback?code=PshPsOkmUGlUe4ssiufoiQ6Ta_Aq8ymyjYlUj8w5cTWsl&state=vO8ZXsKyLG3QzZDDOZo4Diyf-S6xtERN9MixbBXu3fo%3A%2F" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 302 24 0.461
10.244.0.238:46912 - 7f6a789e88aa45449575d92846b64bad - - [2022/02/22 13:53:45] kubeapps.my-domain.com GET - "/oauth2/start" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 302 317 0.000
10.244.0.238:46912 - 54c2d227cc6f79868f1e19eedb78fd0d - test4@test.com [2022/02/22 13:53:46] kubeapps.my-domain.com GET / "/api/clusters/default/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 401 47 0.103
...

Do you know whether it is possible to make work with unverified e-mails from Auth0?

[aslafy-z]

At my side, my keycloak LDAP integration does exposes the email_verified claim but the value is always false. I created an hardcoded claim to overwrite the value coming from this integration to make it work with Pinniped as in https://stackoverflow.com/a/66173059.
I guess you can do kind of the same for Auth0.

[junoriosity]

Many thanks for your reply.

The point that matters to me is that later on I want to distinguish between verified and unverified users. Is that still possible here?

[cfryanr]

Hi @junoriosity,

Thanks for the question.

When you define a JWTAuthenticator, Pinniped actually leverages some code from the Kubernetes code base to help implement that feature. You can see it here in the Pinniped source code, where it constructs an object from the Kubernetes API sever library:

pinniped/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go

Line 203 in cd686ff

oidcAuthenticator, err := oidc.New(oidc.Options{

Inside that Kubernetes library code, there is a check for the email_verified claim. You can see that code here: https://github.com/kubernetes/kubernetes/blob/b435061c80eea02304cfd5affceca001fc67f9ba/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go#L584-L598

As you can see, it only performs this check if you are using email as the username claim. Even then, it further only performs the check if the email_verified claim is present in the JWT token. So workarounds would include using a different username claim, somehow forcing the email_verified claim to be omitted by your OIDC provider, or somehow forcing the email_verified claim to be true in your OIDC provider.

Unfortunately, this behavior is not configurable at this time, so there is currently no way to ask Pinniped to skip this check.

Does that help at all?

Best,
Ryan

[junoriosity]

Thanks for your fast and insightful reply.