K8s: Pass ID token in X-Extra-id-token header (#82893)

pkg/services/apiserver/auth/authenticator/signedinuser.go

@@ -25,15 +25,18 @@ func signedInUserAuthenticator(req *http.Request) (*authenticator.Response, bool
 		Name:   signedInUser.Login,
 		UID:    signedInUser.UserUID,
 		Groups: []string{},
-		Extra:  map[string][]string{},
+		// In order to faithfully round-trip through an impersonation flow, Extra keys MUST be lowercase.
+		// see: https://pkg.go.dev/k8s.io/apiserver@v0.27.1/pkg/authentication/user#Info
+		Extra: map[string][]string{},
 	}
 
 	for _, v := range signedInUser.Teams {
 		userInfo.Groups = append(userInfo.Groups, strconv.FormatInt(v, 10))
 	}
 
+	//
 	if signedInUser.IDToken != "" {
-		userInfo.Extra["ID-Token"] = []string{signedInUser.IDToken}
+		userInfo.Extra["id-token"] = []string{signedInUser.IDToken}
 	}
 
 	return &authenticator.Response{

pkg/services/apiserver/auth/authenticator/signedinuser_test.go

@@ -47,7 +47,7 @@ func TestSignedInUser(t *testing.T) {
 		require.Equal(t, u.Login, res.User.GetName())
 		require.Equal(t, u.UserUID, res.User.GetUID())
 		require.Equal(t, []string{"1", "2"}, res.User.GetGroups())
-		require.Empty(t, res.User.GetExtra()["ID-Token"])
+		require.Empty(t, res.User.GetExtra()["id-token"])
 	})
 
 	t.Run("should set ID token when available", func(t *testing.T) {
@@ -72,7 +72,7 @@ func TestSignedInUser(t *testing.T) {
 		require.Equal(t, u.Login, res.User.GetName())
 		require.Equal(t, u.UserUID, res.User.GetUID())
 		require.Equal(t, []string{"1", "2"}, res.User.GetGroups())
-		require.Equal(t, "test-id-token", res.User.GetExtra()["ID-Token"][0])
+		require.Equal(t, "test-id-token", res.User.GetExtra()["id-token"][0])
 	})
 }