►
From YouTube: Sig-Auth Bi-Weekly Meeting for 20200330
Description
Sig-Auth Bi-Weekly Meeting for 20200330
A
Hey
everyone:
this
is
the
march
30th
22nd
2022
cigars
meeting
yesterday
was
code
freeze
for
3,
so
I
think
everybody's
good
and
tired
right
now.
Thankfully
we
have
a
pretty
light
agenda
granted.
I
don't
know
to
hear
how
much
discussion
he
wanted
to
have
about
trust
makers
today,
but
we'll
find
out
and
get
to
it,
but
max.
I
think
you
have
the
first
two
items.
B
Yeah,
I
think
we
can
drop
the
second
one,
because
you
already
answered
this
so
about
the
first
one.
The
idea
is
simple:
I
proposed
it
on
slack,
so
we
have
a
bunch
of
apis
to
debug
authentication
flow.
For
example,
token
review,
subject,
access
review
self
subject
and
this
review
and
so
on,
but
there
is
no
api
which
helps
you
to
get.
B
You
know
who
you
are
your
attributes,
your
user
id
username,
extra
attributes
and
so
on
and
as
we
discussed
on
slack,
it
looks
like
a
missing
part
of
this,
so
I
propose
to
add
some
kind
of
an
api
end
point
to
check
your
attributes
and
also
provide
a
corresponding
obstacle
command
to
like
to
to
make
the
back
easier
to
make
debugging
easier.
Yes,
that's
the
idea.
C
C
C
A
Which,
I
guess
they're
happy
with
all
the
other
web
books
and
everything
else
being
able
to
see
because
they're
semi
privileged
yeah,
I
mean
I
I
mean.
I
would
personally
like
to
see
this.
I
guess
I'd,
maybe
even
be
okay.
If
it's
our
back
is
optional
or
something,
but
the
our
back
to
call
the
api
is
optional.
A
I
guess
that
would
be
that
would
at
least
alleviate
the
concerns.
I
know
jordan
who's
also
not
on
the
call
I
mentioned
concerns
about
just
the
extra
fields
in
general.
We
don't
know
what
people
are
putting
in
them
and
that
that
could
be
bad,
and
I
feel,
like
you,
shouldn't
rely
on
hiding
secrets
inside
of
extra
people
can
do
anything.
A
Yeah,
I'm
not
saying
this
wouldn't
work
with
all
those
I
I
should
have
used
the
word
authorization,
the
idea
being
that
if,
if
you
built
an
api
but
then
did
not
provide
bootstrap
our
back
policy
for
it,
then
it's
up
to
the
cluster
admin
to
assign
that.
But
that's
what
I
was
saying
is
that
we
could.
If
the
concern
is
who
can
see
this
and
you
want
to
control
who
can
see
it
then
go
for
it?
Don't
don't
give
don't
give
anyone
access
or
give
whoever
you
trust
to
have
access?
A
C
A
Would
this
new
endpoint
be
authorized
or
available
to
all
micah
this
question?
Yeah,
I
mean
so
I
think
that's
open-ended.
We
could.
We
could
do
something
similar
to
what
we
did
with
the
bound
service.
Token
account
discovery
endpoint,
where
we
we
only
bind
that
one
to
service
accounts
and
something
like
this.
We
may.
A
I
guess
I
don't
know
if
that
care,
if
a
service
account
can
see
its
own
metadata,
because
it's
already
in
the
in
the
token,
so
maybe
we
could
also
just
the
service
accounts,
but
the
choice
for
binding
it
to
like
system
called
authenticated
or
system
called
unauthenticated
is
deferred
to
the
platform
for
the
discovery,
and
we
could
technically
do
the
same
here.
The
same
concerns
present.
A
C
A
Yeah
yeah,
if
you
feel
feel
free
to
ping
them
directly
in
slack
and
try
to
get
feedback
on
my
side.
I'd
be
happy
to
look
at
it
kept,
but
maybe
don't
write
one
until
you
understand
their
concerns
and
if,
if,
if
you
want
we
can,
we
can
also
put
this
on
the
agenda
for
two
weeks
from
now
and
try
to
try
to
discuss
again
if
they're
on
on
the
call.
A
B
Yeah,
maybe
someone
has
the
same
problem
as
I
am
they
have
just
because
you
know
we
have
this
repo
authorization
that
you
know
you
can
custom
customize
your
like
excel
slides.
So
we
use
this
to
provide
some
kind
of
a
multi-tenancy
to
forbid
access
to
some
namespaces
or
some
resources
during
days
or
nights
for
some
engineers.
B
C
A
Oh
yeah,
no,
what
I
what
I
said
is
this
is
totally
fine.
We
there's
already
folks
trying
to
write
a
kept
for
a
proper,
structured
config
for
multiple
authorization
web
books,
one
one
of
which
would
be
this
capability
of
configuring.
Your
failure
policy-
and
you
know
there.
You
know
it
could
be
fail
close
by
default
or
it
could
be
just
there
is
no
default,
and
you
have
to
tell
us,
but
I
just
I
what
I
didn't
want
is
more
api
server
flags
just
trying
to
tack
on
features.
C
As
it
happens
right
now,
I
believe
we
have
an
ordered
authorizer
but
yeah.
I
I
don't
object
to
a
structure
config,
if
that's
necessary
to
do
it.
That
sounds
okay,
the
idea
of
being
able
to
build
something
that
allows
a
deny
authorizer
sounds
very
reasonable
to
me.
It's
a
thing
that
that
we've
made
use
of
before.
A
A
B
A
So
I
wanted
to
bring
sure
I
went
to
pr
so
so
there
was
some
recent
effort
by
some
folks
to
clean
up
or
try
to
fix
some
bugs
in
our
client-side
oidc
logic.
So
this
is
the
the
not
not
the
server
side,
but
but
with
cube,
ctl
and
client
going
both,
and
I
wanted
to
get
folks's
feelings
around
one
around
sort
of
the
the
health
of
this
thing
that
we
have
that
we
basically
don't
fix
bugs
in.
Even
though
there's
like
known
issues,
they've
been
known
issues
open
for
years.
A
C
A
A
This
is
not
problematic,
because
a
lot
of
providers
should
just
keep
returning
the
same
refresh
token
or
no
refresh
token
at
all
and
just
assume
you're
using
the
old
one,
whereas
like
modern
providers,
modern
in
the
sense
of
more
security,
conscious
ones
make
the
refresh
tokens
one
use,
so
you
get
a
new
one,
every
single
time
and
the
old
ones
invalidated.
In
those
cases,
this
thing
goes
haywire
and
just
falls
off
a
push.
A
Yeah
so
I
mean
yeah.
I
have
a
hard
time
reasoning
about
this
code,
because
there's
there's
locks
inside
this
client
cache
there's
like
global
locks,
then
there's
this
thing
that
hides
a
lock,
because
it's
the
cube,
config
abstraction
and
all
of
this
is
really
really
muddled.
If
you
ever
invoke
more
than
one
tube
cto
command
at
the
same
time,
because
there's
no
synchronization
against
the
cube
config
itself,
so
then
like
we're
gonna,
basically
trash
your
food
config,
which
was
also
not
cool.
A
E
Like
but
but
it's
like,
yeah
go
ahead.
Three
years
I
was
gonna
say
like
for
the
out
of
three
provider
plugins
that
is
like
for
the
g
cloud,
one
that's
what
we
have
done
is
we
have
a
separate
cache
file
where
we
use
a
simple
locking.
Actually
we
don't
even
lock
it.
We
just
rewrite
the
whole
file
every
time
like
atomically,
if
you
have
a
complicated
one.
E
One
thing
we
looked
at
was
using
something
like
both
db,
so
just
like
a
tiny
key
value
store
so
that
we
didn't
have
to
worry
about,
like
all
the
complexity
of
locking
the
file
and
ensuring
that
rights
are
consistent
and
all
that
good
stuff,
in
our
case,
we're
only
caching
a
single
value.
So
we
just
went
with
atomically
replacing
the
file
yeah.
F
E
A
Yeah,
so
I
mean,
I
guess:
that's
where
this
comes
down
to
right
is:
how
far
are
we
willing
to
go
to
actually
make
this
work
right
like
in
something
correct?
I
shouldn't
use
the
word
right,
because
this
happens
to
be
important
to
people,
because
it's
built
into
cube,
ctl
and
very
soon.
This
will
be
the
only
thing
built
into
cube
ctl,
because
the
next
release
is
when
the
built-in
aks
and
gk
stuff
goes
away.
B
A
A
And
start
having
a
distinct,
separate
cache
in
there
and
using
that
file
or
whatever,
as
the
actual
locking
mechanism,
not
not
anything
in
process
or
anything
like
that
and
not
having
multiple
layers.
If
you
make
a
million
clients,
it's
okay,
you
get
a
million
copies,
but
they'll
still
be
synchronized
by
the
file
system.
It
doesn't
matter.
A
E
D
A
C
A
E
E
Certificate
provisioner
kept
draft
google
doc
thingy
was
that
trust
anchor
sets
were
a
useful
piece
of
functionality
on
their
own,
so
they
should
be
broken
out
into
account
and
landed,
and
then
so
I've
done
that
it's
largely
the
same,
except
I
did
a
little
digging
into
how
certificate
signing
requests
interact
with
our
back
and
I
copied
that
mechanism
for
trust
anchor
sets
so
trust.
The
trust
maker
sets
now
carry
a
sign,
a
spec
dot,
signer
name
field.
E
A
F
A
Yeah
I
mean
so
it
is
possible
for
this,
the
crl
endpoint
to
be
embedded
within
the
ca
itself,
and
that's
not
uncommon
for
like
the
big
cas
to
have
it,
because
you
know
they
have
a
ton
of
pki
infrastructure,
but
it
would
be
nice
to
have
the
capability
of
you
know.
I
you
know
I
have
this.
The
ca
bundle
whatever
it's,
maybe
just
a
file
on
disk,
and
I
want
to
be
able
to
control
revocation
for
it
within
this.
E
A
E
A
C
In
my
own
world,
I've
gotten
a
lot
of
requests
for
it.
The
assumption
is
that
it's
built
into
the
library,
and
we
just
aren't
using
it.
I
I
don't
know
that
I
have
an
opinion
about
coupling
it
together
here.
My
memory
is
that
you
can
actually
just
say
on
a
ca
bundle.
Here's
where
my
crl
is
and
if
the
client
honors
it
it
works,
and
so,
if
the
trust
anchor
gives
us
a
spot
to
place
that
which
I
haven't
read
this
cap,
probably
because
it
was
made
at
3am
today
then.
A
D
E
So
I
create
my
own
example.com,
slash,
super
cool
ca,
signer
and
that's
how
I
surface
the
ability
to
use
that
private
ca
hierarchy
inside
my
cluster
there's
some
cases
where
the
signer
name
is
kind
of
redundant.
Where
like
what
mike
was
wanting
where
we
could
throw
some
certs
into
one
of
these
trust
maker
sets
and
then
use
it
in
a
webhook,
backend
config.
D
E
E
E
If
you're
using
youtube
to
us-
and
you
want
to
federate
yourself
with
you-
know
some
other
company-
you
want
to
talk
to
their
workloads-
that's
still
occurring
under
the
auspices
of
your
dot.
Example.Com
super
cool
case
signer,
but
it
will
have
a
different
named.
Trusting
set
you'll
have
the
default
one
for
your
workloads
and
then
you'll
have
you
know:
billy
bob's,
emporium
trust
set.