Skip to content

Commit f932a74

Browse files
nnlkcncffnnlkcncff
authored
fix description --oidc-issuer-url.md (#42941)
* fix description --oidc-issuer-url.md https://accounts.google.com/ <= above └─ .well-known/openid-configuration <= below * Update authentication.md Fixed the description of `--oidc-issuer-url`.
1 parent c9732d7 commit f932a74

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

content/en/docs/reference/access-authn-authz/authentication.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -312,7 +312,7 @@ To enable the plugin, configure the following flags on the API server:
312312

313313
| Parameter | Description | Example | Required |
314314
| --------- | ----------- | ------- | ------- |
315-
| `--oidc-issuer-url` | URL of the provider which allows the API server to discover public signing keys. Only URLs which use the `https://` scheme are accepted. This is typically the provider's discovery URL without a path, for example "https://accounts.google.com" or "https://login.salesforce.com". This URL should point to the level below .well-known/openid-configuration | If the discovery URL is `https://accounts.google.com/.well-known/openid-configuration`, the value should be `https://accounts.google.com` | Yes |
315+
| `--oidc-issuer-url` | URL of the provider that allows the API server to discover public signing keys. Only URLs that use the `https://` scheme are accepted. This is typically the provider's discovery URL, changed to have an empty path | If the issuer's OIDC discovery URL is `https://accounts.provider.example/.well-known/openid-configuration`, the value should be `https://accounts.provider.example` | Yes |
316316
| `--oidc-client-id` | A client id that all tokens must be issued for. | kubernetes | Yes |
317317
| `--oidc-username-claim` | JWT claim to use as the user name. By default `sub`, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as `email` or `name`, depending on their provider. However, claims other than `email` will be prefixed with the issuer URL to prevent naming clashes with other plugins. | sub | No |
318318
| `--oidc-username-prefix` | Prefix prepended to username claims to prevent clashes with existing names (such as `system:` users). For example, the value `oidc:` will create usernames like `oidc:jane.doe`. If this flag isn't provided and `--oidc-username-claim` is a value other than `email` the prefix defaults to `( Issuer URL )#` where `( Issuer URL )` is the value of `--oidc-issuer-url`. The value `-` can be used to disable all prefixing. | `oidc:` | No |

0 commit comments

Comments
 (0)