🚀 Feature: Allow uploading jwks file for federated credentials #9

New Issue

OVERLORD · 2025-10-06T23:58:05+03:00

OVERLORD commented

2025-10-06 23:58:05 +03:00

Originally created by @userbradley on GitHub.

Feature description

When working with Kubernetes jwks, the Kubernetes API is using a self signed cert, meaning that pocket id can't get the jwks file and validate it.

I would like to see the ability to upload this file to Pocket ID

A good example is how GCP does this for their Federated Kubernetes IAM:

https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes

kubectl get --raw /openid/v1/jwks > cluster-jwks.json

Which is then used later:

gcloud iam workload-identity-pools providers create-oidc WORKLOAD_PROVIDER_ID \
    --location="global" \
    --workload-identity-pool="POOL_ID" \
    --issuer-uri="ISSUER" \
    --attribute-mapping="MAPPINGS" \
    --attribute-condition="CONDITIONS" \
    --jwk-json-path="cluster-jwks.json" <--- HERE!

This nicely get's around having to host the jwks file on a public endpoint, much like how AWS make you do:

https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md

Pitch

I am writing an app that runs in k8s that reaches out to Mealie, and then emails me tonights dinner.

I have Mealie behind Pocket ID which means that I need to authenticate using a users token. By instead using federated credentials, I can have Kubernetes be a user and make API requests instead of being based on a user.

The reason I'd like to see the ability to upload the jwks file is the same as AWS's reason, the cluster should not be public and there's no way for Pocket ID to access these keys otherwise.

Originally created by @userbradley on GitHub. ### Feature description When working with Kubernetes jwks, the Kubernetes API is using a self signed cert, meaning that pocket id can't get the jwks file and validate it. I would like to see the ability to upload this file to Pocket ID A good example is how GCP does this for their Federated Kubernetes IAM: https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes ``` kubectl get --raw /openid/v1/jwks > cluster-jwks.json ``` Which is then used later: ``` gcloud iam workload-identity-pools providers create-oidc WORKLOAD_PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --issuer-uri="ISSUER" \ --attribute-mapping="MAPPINGS" \ --attribute-condition="CONDITIONS" \ --jwk-json-path="cluster-jwks.json" <--- HERE! ``` This nicely get's around having to host the jwks file on a public endpoint, much like how AWS make you do: https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md ### Pitch I am writing an app that runs in k8s that reaches out to Mealie, and then emails me tonights dinner. I have Mealie behind Pocket ID which means that I need to authenticate using a users token. By instead using federated credentials, I can have Kubernetes _be_ a user and make API requests instead of being based on a user. The reason I'd like to see the ability to upload the jwks file is the same as AWS's reason, the cluster should not be public and there's no way for Pocket ID to access these keys otherwise.

OVERLORD commented

2025-10-06 23:58:06 +03:00

@michaelbeaumont commented on GitHub:

When working with Kubernetes jwks, the Kubernetes API is using a self signed cert, meaning that pocket id can't get the jwks file and validate it.

For the record, for this problem specifically, what you can also do is put the CA, i.e. clusters[].cluster.certificate-authority-data from your Kubeconfig, into /etc/ssl/certs and pocket-id will pick it up.

@michaelbeaumont commented on GitHub: > When working with Kubernetes jwks, the Kubernetes API is using a self signed cert, meaning that pocket id can't get the jwks file and validate it. For the record, for this problem specifically, what you can also do is put the CA, i.e. `clusters[].cluster.certificate-authority-data` from your Kubeconfig, into [`/etc/ssl/certs`](https://go.dev/src/crypto/x509/root_linux.go) and `pocket-id` will pick it up.

OVERLORD commented

2025-10-06 23:58:07 +03:00

@ItalyPaleAle commented on GitHub:

The federation implemented in Pocket ID today is for client authentication (client = apps), not for authenticating resource owners (users or other kinds of “principals”). So this wouldn’t help in your case either way.

However, I do think the solution that @michaelbeaumont suggested, of adding the CA certs so Pocket ID can use them, would be better suited here…

@ItalyPaleAle commented on GitHub: The federation implemented in Pocket ID _today_ is for _client authentication_ (client = apps), not for authenticating resource owners (users or other kinds of “principals”). So this wouldn’t help in your case either way. However, I do think the solution that @michaelbeaumont suggested, of adding the CA certs so Pocket ID can use them, would be better suited here…

OVERLORD commented

2025-10-06 23:58:08 +03:00

@userbradley commented on GitHub:

Turns out I have misunderstood what this is for, RE my use case.

But the general idea stands that it would be nice to be able to upload the jwks to Pocket ID

@userbradley commented on GitHub: Turns out I have misunderstood what this is for, RE my use case. But the general idea stands that it would be nice to be able to upload the jwks to Pocket ID

OVERLORD referenced this issue

2025-10-07 00:19:06 +03:00

[PR #830] [CLOSED] feat: add ability to set custom client ID #594

OVERLORD referenced this issue

2025-10-07 00:25:34 +03:00

[PR #9] [CLOSED] [ImgBot] Optimize images #968

Sign in to join this conversation.