This repository was archived by the owner on Aug 29, 2022. It is now read-only.
groups look up should be done at token verification time #11
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
So I was talking to a gentleman at Kubecon, and they are using an internal fork of kubernetes-ldap and he brought up a very good point.
today we get the list of groups for users at token generation time, and then add that to token and its valid until that token is valid.
Now if the group membership has changed, while the token is still valid, we dont see that change. This can be a security issue as well.
We should probably do group look up at token validation time.
The text was updated successfully, but these errors were encountered: