Inject groups:scr1 objects through graph api call in JWT about kubelogin HOT 5 CLOSED

As much as I like the proposal, kubelogin is just a recipient of the AAD token and there is no way we can modify that. There are other projects such as https://github.com/kubeguard/guard that can address this limitation. If you need help in that regard, let me know. Otherwise, closing this issue for now

from kubelogin.

kubelogin cannot modify the JWT. The tokens are digitally signed by Azure. Changing it will break the checksum and the validation.

from kubelogin.

@weinong is there any other solution which can decode the token which has more than 200 groups.. We are using kube-oidc-proxy plugin on EKS which seems to be now maintained by Tremolo..They think this has to be done at kubelogin level and we also donot want to change too many configs in our existing clusters(huge footprint)looks like many of the users are hitting similar issue. Is there a solution where we can fix this from azure side in any way?

from kubelogin.

Groups > 200. It's an Azure issue. But limiting the number of groups to 200 in an Access Token or an ID Token actually seems rather reasonable. (to me anyway, where I suffer from the same issue)
You would have to change the EKS OIDC Provider configuration, but you could do something where you configure 'roles' for your AzureAD (or similar) App Registration and have it add 'roles' as a claim to the tokens. Then have the EKS Identity Provider use 'roles' rather than 'groups' as the "Groups" claim.
You could do something similar with any custom claim.

from kubelogin.

I'd recommend configuring app roles and configure k8s to use roles claim instead of using groups.

from kubelogin.