Is Pinniped working with unverified e-mails from our OIDC? #1034
-
I deployed kubeapps with
where
Now, when I try to login with a verified e-mail address things are usual - and desired. If I use an unverified, however, I am immediately forwarded to the login page The logs say the following for pinniped-proxy
and the auth-proxy says
Do you know whether it is possible to make work with unverified e-mails from Auth0? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
At my side, my keycloak LDAP integration does exposes the |
Beta Was this translation helpful? Give feedback.
-
Hi @junoriosity, Thanks for the question. When you define a JWTAuthenticator, Pinniped actually leverages some code from the Kubernetes code base to help implement that feature. You can see it here in the Pinniped source code, where it constructs an object from the Kubernetes API sever library: Inside that Kubernetes library code, there is a check for the As you can see, it only performs this check if you are using Unfortunately, this behavior is not configurable at this time, so there is currently no way to ask Pinniped to skip this check. Does that help at all? Best, |
Beta Was this translation helpful? Give feedback.
Hi @junoriosity,
Thanks for the question.
When you define a JWTAuthenticator, Pinniped actually leverages some code from the Kubernetes code base to help implement that feature. You can see it here in the Pinniped source code, where it constructs an object from the Kubernetes API sever library:
pinniped/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
Line 203 in cd686ff
Inside that Kubernetes library code, there is a check for the
email_verified
claim. You can see that code here: https://github.com/kubernetes/kubernetes/blob/b435061c80eea02304cfd5affceca001fc67f9ba/staging/src/k8s.io/apiserver/plugin/pkg…