Every failure the workload track can show is token-side —
a bad aud, a missing claim. This step shows the failure
class OIDC people under-learn: the token below is flawless,
and whether it gets 401 or authenticates depends
entirely on a config file it has never seen. Toggle the apiserver's
state and watch the verdict — the token panel will not change.
what actually happens
- kubectl presents the id_token as a Bearer header on every API request.
- The apiserver decides — if
--oidc-*flags are configured, it validates and resolves an identity; if not, there is no OIDC authenticator at all and the same token is rejected.
the token · constant does not change when you toggle below
eyJhbGciOiJSUzI1NiIsIm…ic-use decode in step 1 → -
sig -
iss -
aud -
exp -
email -
groups -
mfa
a valid token is necessary but not sufficient — someone on the consumer side has to be configured to trust the issuer.