GKE OIDC 设置问题:输出配置中的“OAuth2Token”中缺少“RefreshToken”字段

问题描述 投票:0回答:1

遵循此处的说明: https://cloud.google.com/kubernetes-engine/docs/how-to/oidc#gcloud-config

我按照这里的说明并使用以下命令登录

kubectl oidc login --cluster=CLUSTER_NAME --login-config=login-config.yaml

找到问题的解决方案:要解决此问题,请在集群配置文件中的authentication.oidc.extraParams字段中添加prompt=consent。然后重新生成客户端认证文件。参考:https://cloud.google.com/anthos/clusters/docs/on-prem/latest/troubleshoot-identity-authorization

仍然遇到相同的错误,从我的登录配置共享authentication.oidc字段的内容

  authentication:
  - name: oidc
    oidc:
      clientID: xxxxxxxxxxxxx
      clientsecret:  yyyyyyyyyyy
      extraParams: resource=token-groups-claim, prompt=consent
      issuerURI:  IDP URL
      cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
      kubectlRedirectURI: http://localhost:3000
      scopes: openid, email
      userClaim: email
      groupsClaim: groups

有人遇到同样的问题吗?

google-kubernetes-engine openid-connect kubectl
1个回答
0
投票

我注意到它需要刷新令牌,因此需要相关的范围。参考链接:https://cloud.google.com/anthos/identity/setup/fleet-cluster#okta

我不知道为什么这是强制性的。

authentication:
  - name: idp
oidc:
  ClientID: *****5d7
  clientSecret: ******iu
  cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
  groupsClaim: groups
  extraParams: prompt=consent, access_type=offline
  issuerURI: https://idp-idp.com
  kubectlRedirectURI: http://127.0.0.1:10000
  scopes: openid,profile,groups,email,offline_access
  userClaim: sub
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.