OidcIdentityProviderConfigRequest
import type { OidcIdentityProviderConfigRequest } from "https://aws-api.deno.dev/v0.3/services/eks.ts?docs=full";
An object representing an OpenID Connect (OIDC) configuration. Before associating an OIDC identity provider to your cluster, review the considerations in Authenticating users for your cluster from an OpenID Connect identity provider in the Amazon EKS User Guide.
§Properties
This is also known as audience. The ID for the client application that makes authentication requests to the OpenID identity provider.
The prefix that is prepended to group claims to prevent clashes with existing names (such as system:
groups).
For example, the valueoidc:
will create group names like oidc:engineering
and oidc:infra
.
The URL of the OpenID identity provider that allows the API server to discover public signing keys for verifying tokens.
The URL must begin with https://
and should correspond to the iss
claim in the provider's OIDC ID tokens.
Per the OIDC standard, path components are allowed but query parameters are not.
Typically the URL consists of only a hostname, like https://server.example.org
or https://example.com
.
This URL should point to the level below .well-known/openid-configuration
and must be publicly accessible over the internet.
The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas in the Amazon EKS User Guide.
The JSON Web Token (JWT) claim to use as the username.
The default is sub
, which is expected to be a unique identifier of the end user.
You can choose other claims, such as email
or name
, depending on the OpenID identity provider.
Claims other than email
are prefixed with the issuer URL to prevent naming clashes with other plug-ins.