In certain clusters, there is a bug that prevents successful authentication. The issue lies with the AuthConfig component, which assumes the audience for the token to be "kubernetes.default.svc". However, in some cluster configurations, this value is set differently, leading to authentication failures.

Passing empty audiences [] is not possible as Authorino sets it to the caller host in such a case.

Workaround

There's a workaround possible to adjust audiences in the AuthConfig based on what's defined for the cluster by issuing TokenReview with empty audiences and getting a list of possible ones in the cluster:

TOKEN=YOUR_USER_TOKEN
ODH_NS=opendatahub
result=$(kubectl create -o jsonpath='{.status.audiences[0]}' -f -<<EOF
apiVersion: authentication.k8s.io/v1
kind: TokenReview
spec:
  token: "$TOKEN"
  audiences: []
EOF
)

kubectl patch authconfig odh-dashboard-protection -n ${ODH_NS} --type='json' -p="[{'op': 'replace', 'path': '/spec/identity/0/kubernetes/audiences', 'value': ['${result}']}]"