Pinniped Logo

Pinniped Documentation

Configure the Pinniped Concierge to validate JWT tokens issued by the Pinniped Supervisor

The Concierge can validate JSON Web Tokens (JWTs), which are commonly issued by OpenID Connect (OIDC) identity providers.

This guide shows you how to use this capability in conjunction with the Pinniped Supervisor. Each FederationDomain defined in a Pinniped Supervisor acts as an OIDC issuer. By installing the Pinniped Concierge on multiple Kubernetes clusters, and by configuring each cluster’s Concierge as described below to trust JWT tokens from a single Supervisor’s FederationDomain, your clusters' users may safely use their identity across all of those clusters. Users of these clusters will enjoy a unified, once-a-day login experience for all the clusters with their kubectl CLI.

If you would rather not use the Supervisor, you may want to configure the Concierge to validate JWT tokens from other OIDC providers instead.


This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.

It also assumes that you have configured an OIDCIdentityProvider, LDAPIdentityProvider, or ActiveDirectoryIdentityProvider for the Supervisor as the source of your user’s identities. Various examples of configuring these resources can be found in these guides.

It also assumes that you have already installed the Pinniped Concierge on all the clusters in which you would like to allow users to have a unified identity.

Create a JWTAuthenticator

Create a JWTAuthenticator describing how to validate tokens from your Supervisor’s FederationDomain:

kind: JWTAuthenticator
  name: my-supervisor-authenticator

  # The value of the `issuer` field should exactly match the `issuer`
  # field of your Supervisor's FederationDomain.

  # You can use any `audience` identifier for your cluster, but it is
  # important that it is unique for security reasons.
  audience: my-unique-cluster-identifier-da79fa849

  # If the TLS certificate of your FederationDomain is not signed by
  # a standard CA trusted by the Concierge pods by default, then
  # specify its CA here as a base64-encoded PEM.
    certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0...0tLQo=

If you’ve saved this into a file my-supervisor-authenticator.yaml, then install it into your cluster using:

kubectl apply -f my-supervisor-authenticator.yaml

Do this on each cluster in which you would like to allow users from that FederationDomain to log in. Don’t forget to give each cluster a unique audience value for security reasons.

Next steps

Next, log in to your cluster!