K8s: Pass ID token in X-Extra-id-token header (#82893)

2025-02-25 18:55:37 -06:00 · 2024-02-16 10:07:37 -05:00 · 2024-02-16 10:07:37 -05:00 · 8f0431ba46
commit 8f0431ba46
parent ffb9a4de4a
2 changed files with 7 additions and 4 deletions
--- a/pkg/services/apiserver/auth/authenticator/signedinuser.go
+++ b/pkg/services/apiserver/auth/authenticator/signedinuser.go
@ -25,15 +25,18 @@ func signedInUserAuthenticator(req *http.Request) (*authenticator.Response, bool
 		Name:   signedInUser.Login,
 		UID:    signedInUser.UserUID,
 		Groups: []string{},
-		Extra:  map[string][]string{},
+		// In order to faithfully round-trip through an impersonation flow, Extra keys MUST be lowercase.
+		// see: https://pkg.go.dev/k8s.io/apiserver@v0.27.1/pkg/authentication/user#Info
+		Extra: map[string][]string{},
 	}

 	for _, v := range signedInUser.Teams {
 		userInfo.Groups = append(userInfo.Groups, strconv.FormatInt(v, 10))
 	}

+	//
 	if signedInUser.IDToken != "" {
-		userInfo.Extra["ID-Token"] = []string{signedInUser.IDToken}
+		userInfo.Extra["id-token"] = []string{signedInUser.IDToken}
 	}

 	return &authenticator.Response{
--- a/pkg/services/apiserver/auth/authenticator/signedinuser_test.go
+++ b/pkg/services/apiserver/auth/authenticator/signedinuser_test.go
@ -47,7 +47,7 @@ func TestSignedInUser(t *testing.T) {
 		require.Equal(t, u.Login, res.User.GetName())
 		require.Equal(t, u.UserUID, res.User.GetUID())
 		require.Equal(t, []string{"1", "2"}, res.User.GetGroups())
-		require.Empty(t, res.User.GetExtra()["ID-Token"])
+		require.Empty(t, res.User.GetExtra()["id-token"])
 	})

 	t.Run("should set ID token when available", func(t *testing.T) {
@ -72,7 +72,7 @@ func TestSignedInUser(t *testing.T) {
 		require.Equal(t, u.Login, res.User.GetName())
 		require.Equal(t, u.UserUID, res.User.GetUID())
 		require.Equal(t, []string{"1", "2"}, res.User.GetGroups())
-		require.Equal(t, "test-id-token", res.User.GetExtra()["ID-Token"][0])
+		require.Equal(t, "test-id-token", res.User.GetExtra()["id-token"][0])
 	})
 }