Feature #18347
Updated by Peter Amstutz over 2 years ago
For client-provided federated tokens, or token that are validated using OIDC:
If the token is ultimately explicitly rejected by the remote, or the remote responds with an unacceptable response (eg claiming the token belongs to a user the cluster doesn't own) or it rejected by OIDC and every other check, it should cache the result for a certain amount of time as a known-bad token. This enables future requests using that token to be rejected quickly avoiding more expensive federated or OIDC lookups. This is a mitigation strategy for badly behaved clients that retry a failed request using the same bad token.
It is important that it does not record negative results when the lookup failed due to communications failures such as 500 errors or timeouts.