Understanding OpenID Connect
OpenID Connect is a standard identity federation protocol. It's built on the OAuth2 specification and has some very powerful features that make it the preferred choice for interacting with Kubernetes clusters.
The main benefits of OpenID Connect are as follows:
- Short-lived tokens: If a token is leaked, such as via a log message or breach, you want the token to expire as quickly as possible. With OIDC, you're able to specify tokens that can live for 1-2 minutes, which means the token will likely be expired by the time an attacker attempts to use it.
- User and group memberships: When we start talking about authorizations, we'll see quickly that it's important to manage access by groups instead of managing access by referencing users directly. OIDC tokens can embed both the user's identifier and their groups, leading to easier access management.
- Refresh tokens scoped to timeout policies: With short-lived tokens...