Configure AuthService Audiences

Depending on your EKF deployment, you may need to authenticate certain clients with specific audiences. In this case, you will need to configure AuthService to accept the tokens of these clients with the respective audiences. Audiences are strings that are associated with tokens, and specify the target resource server for a token.

This guide will walk you through configuring the audiences that AuthService accepts for authentication.

Important

There are currently two AuthService authenticators that check token audiences:

  • The Kubernetes authenticator, which by default expects the istio-ingressgateway.istio-system.svc.cluster.local audience.
  • The JWT access token authenticator, which does not have a default audience and the admin needs to configure it, based on the audience claim of the JWT access token issued by the external Identity Provider. You can find out more on how the JWT access token authentication method works in Authentication with External Identity Providers Using JWT.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Edit the kubeflow/manifests/common/oidc-authservice/overlays/deploy/audiences.env file and append the audiences of the clients as comma-separated values:

    AUDIENCES=istio-ingressgateway.istio-system.svc.cluster.local,<CUSTOM_AUDIENCE>

    Replace the <CUSTOM_AUDIENCE> with the audience of the clients you want AuthService to authenticate, for example:

    AUDIENCES=istio-ingressgateway.istio-system.svc.cluster.local,myAudience

    Important

    Do not remove the istio-ingressgateway.istio-system.svc.cluster.local audience from AUDIENCES, if you want to use the Kubernetes authentication method.

  3. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am \ > "authservice: Extend the list of the accepted AUDIENCES."
  4. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy
  5. Restart the authservice Pod manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice

Verify

  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Ensure that the new authservice Pod includes the configurations you have applied, that is, the output of the following command includes the audiences you specified in step 2:

    root@rok-tools:~# kubectl get -n istio-system configmap oidc-authservice-parameters -o json \ > | jq -r '.data.AUDIENCES' istio-ingressgateway.istio-system.svc.cluster.local,myAudience

Summary

You have successfully extended the list of the audiences that AuthService accepts.

What’s Next

Check out the rest of the authentication management documentation.