Class OpenIdConnectTokenAuthenticationConfig
The properties that configure OIDC token authentication in kube-apiserver. For more information, see Configuring the API Server.
Inherited Members
Namespace: Oci.ContainerengineService.Models
Assembly: OCI.DotNetSDK.Containerengine.dll
Syntax
public class OpenIdConnectTokenAuthenticationConfigProperties
CaCertificate
Declaration
[JsonProperty(PropertyName = "caCertificate")]
public string CaCertificate { get; set; }Property Value
| Type | Description |
|---|---|
| string | A Base64 encoded public RSA or ECDSA certificates used to signed your identity provider's web certificate. |
ClientId
Declaration
[JsonProperty(PropertyName = "clientId")]
public string ClientId { get; set; }Property Value
| Type | Description |
|---|---|
| string | A client id that all tokens must be issued for. |
ConfigurationFile
Declaration
[JsonProperty(PropertyName = "configurationFile")]
public string ConfigurationFile { get; set; }Property Value
| Type | Description |
|---|---|
| string | A Base64 encoded string of a Kubernetes OIDC Auth Config file. More info here |
GroupsClaim
Declaration
[JsonProperty(PropertyName = "groupsClaim")]
public string GroupsClaim { get; set; }Property Value
| Type | Description |
|---|---|
| string | JWT claim to use as the user's group. If the claim is present it must be an array of strings. |
GroupsPrefix
Declaration
[JsonProperty(PropertyName = "groupsPrefix")]
public string GroupsPrefix { get; set; }Property Value
| Type | Description |
|---|---|
| string | Prefix prepended to group claims to prevent clashes with existing names (such as system:groups). |
IsOpenIdConnectAuthEnabled
Declaration
[Required(ErrorMessage = "IsOpenIdConnectAuthEnabled is required.")]
[JsonProperty(PropertyName = "isOpenIdConnectAuthEnabled")]
public bool? IsOpenIdConnectAuthEnabled { get; set; }Property Value
| Type | Description |
|---|---|
| bool? | Whether the cluster has OIDC Auth Config enabled. Defaults to false. |
Remarks
Required
IssuerUrl
Declaration
[JsonProperty(PropertyName = "issuerUrl")]
public string IssuerUrl { get; set; }Property Value
| Type | Description |
|---|---|
| string | URL of the provider that allows the API server to discover public signing keys. Only URLs that use the https:// scheme are accepted. This is typically the provider's discovery URL, changed to have an empty path. |
RequiredClaims
Declaration
[JsonProperty(PropertyName = "requiredClaims")]
public List<KeyValue> RequiredClaims { get; set; }Property Value
| Type | Description |
|---|---|
| List<KeyValue> | A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims. |
SigningAlgorithms
Declaration
[JsonProperty(PropertyName = "signingAlgorithms")]
public List<string> SigningAlgorithms { get; set; }Property Value
| Type | Description |
|---|---|
| List<string> | The signing algorithms accepted. Default is ["RS256"]. |
UsernameClaim
Declaration
[JsonProperty(PropertyName = "usernameClaim")]
public string UsernameClaim { get; set; }Property Value
| Type | Description |
|---|---|
| string | JWT claim to use as the user name. By default sub, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as email or name, depending on their provider. However, claims other than email will be prefixed with the issuer URL to prevent naming clashes with other plugins. |
UsernamePrefix
Declaration
[JsonProperty(PropertyName = "usernamePrefix")]
public string UsernamePrefix { get; set; }Property Value
| Type | Description |
|---|---|
| string | Prefix prepended to username claims to prevent clashes with existing names (such as system:users). For example, the value oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and --oidc-username-claim is a value other than email the prefix defaults to ( Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value - can be used to disable all prefixing. |