Sub claim format (Kubernetes restricted set)

akotlar · March 2, 2019, 4:04am

Hello, my team needs to store the sub claim in Kubernetes pod objects’ metadata.labels object. Values have a restricted character set basically [0-9a-Z_-.]{1-63} (63 chars max, and the characters listed here: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set). We see the sub claim format as something like | where both provider and id are alphanumeric. However I can’t find specific guidance on this, except the OpenID Connect spec, which specifies the full ASCII character set, which is out of bounds for us.

Could you provide guidance on the character set and maximum length for the and portions of the claim? Is it just OpenID spec? Thanks very much!

Alex

markd · March 3, 2019, 1:45pm

Hello @akotlar,

The sub claim is populated with the user’s user_id attribute, which takes the form [provider]|[local part]:

provider is auth0, google-oauth2, github, etc
local part can be “anything”
- it can be explicitly set on account creation
- if not explicitly set during account creation it will be a hex string, e.g. 5c6b52fd451bd02197ecbd5f

In your use case you might want to use an attribute of your own creation. E.g., create a rule that adds you own unique identifier to each user, and then map that to your k8s environment.