Adds token pass through to docs

Signed-off-by: JoshVanL <[email protected]>
bbc · Sep 12, 2019 · 0cf02d1 · 0cf02d1
1 parent d30a52a
commit 0cf02d1
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -125,5 +125,8 @@ users:
       name: oidc
 ```
 
+## Configuration
+ - [Token Passthrough](./docs/tasks/token-passthrough.md)
+
 ## Development
 *NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.
diff --git a/docs/tasks/token-passthrough.md b/docs/tasks/token-passthrough.md
@@ -0,0 +1,24 @@
+# Token Passthrough
+
+kube-oidc-proxy can be configured to enable 'token passthrough' for tokens that
+fail OIDC authentication. If enabled, kube-oidc-proxy will perform a [token
+review](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
+API call to the configured target backend using the Kubernetes API. If
+successful, the request will be passed through as-is, with the token intact in
+the request and no other authentication used by kube-oidc-proxy.
+
+To enable token passthrough, include the following flag:
+
+```
+--token-passthrough
+```
+
+In the case of the Kubernetes API server, the authenticator, if audience aware,
+will validate the audiences of tokens using the audience of the API server. A
+new set of audiences can also be given which will be used to validate the token
+against. At least one of these audiences need to be present in the audiences of
+the token to be successful:
+
+```
+---token-passthrough-audiences=aud1.foo.bar,aud2.foo.bar
+```