Kubernetes API with OIDC in Auth0


I’ve successfully setup my local Kubernetes cluster’ Kube API to use OIDC towards an Auth0 managed API. I can access my cluster with kubectl using the OIDC credentials. Now, I wanted to test the scenario, in which I would revoke/deny access of my user to access the Auth0 API. I therefore blocked the user in Auth0 and removed permission to the API - but kubectl remains to work - which is not what I have expected. How should this usually work?

As a help, below I mention the configuration I have done:

In Auth0:

  • having an API with an Application (Machine to Machine)
  • having a user myuser@mydomain.com with permission to the API

This is the users configuration in kube config file:

- name: myuser@mydomain.com
        client-id: <my-client-id>
        client-secret: <my-client-secret>
        id-token: <my-id-token>
        idp-issuer-url: https://myorganization.eu.auth0.com/
        refresh-token: <my-refresh-token>
      name: oidc

Starting the Kube API server has followingn parameters:

# Open ID Connect (OIDC)
#~Open ID Connect (OIDC)

In Kubernetes, I’ve created the following ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: oidc-admin-role
- kind: User
  name: "oidc:myuser@mydomain.ch"
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io