{"id":97388,"date":"2025-05-08T08:00:00","date_gmt":"2025-05-08T15:00:00","guid":{"rendered":""},"modified":"2025-05-30T16:55:36","modified_gmt":"2025-05-30T23:55:36","slug":"jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication","status":"publish","type":"post","link":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/","title":{"rendered":"JWT it like it&#8217;s hot: A practical guide for Kubernetes Structured Authentication"},"content":{"rendered":"\n<p>About a year ago the <a href=\"https:\/\/github.com\/kubernetes\/community\/blob\/master\/sig-auth\/README.md\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes SIG Auth team<\/a> announced the promotion of Structured Authentication to Beta in <a href=\"https:\/\/kubernetes.io\/blog\/2024\/04\/25\/structured-authentication-moves-to-beta\/\" target=\"_blank\" rel=\"noreferrer noopener\">this blog post<\/a>. Moving to beta is a crucial step on its journey to becoming a stable, generally available feature in Kubernetes. With this milestone, we can now test the feature on any Kubernetes cluster running version 1.30 or later and, in this blog, we\u2019ll do just that.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/azure.microsoft.com\/en-us\/products\/kubernetes-service\">Innovate with seamless Kubernetes deployment and operation<\/a><\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-structured-authentication\">Why structured authentication?&nbsp;<\/h2>\n\n\n\n<p>Structured Authentication in Kubernetes aims to simplify and centralize the configuration of the kube-apiserver. Prior to Kubernetes 1.30, configuring kube-apiserver for authentication and authorization (AuthN\/AuthZ) required setting numerous individual flags. Additionally, OIDC-based authentication was limited to a single provider.&nbsp;<\/p>\n\n\n\n<p>This new approach allows you to configure multiple JWT authenticators and implement sophisticated token validation using the Common Expression Language (CEL).&nbsp;Even better, changes can now be applied without restarting the kube-apiserver, minimizing cluster downtime.&nbsp;<\/p>\n\n\n\n<p>In this post, we\u2019ll walk through setting up Structured Authentication on a local <a href=\"https:\/\/kind.sigs.k8s.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">kind<\/a> (Kubernetes IN Docker) cluster. You\u2019ll learn how to configure both Microsoft Entra ID and Okta as JWT providers, and how to write a simple CEL-based token validation rule. By the end, you\u2019ll have a practical understanding of the feature and how your organization can start taking advantage of it.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites&nbsp;<\/h2>\n\n\n\n<p>Before you begin, ensure you have the following tools installed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.terraform.io\/\">Terraform<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.docker.com\/products\/docker-desktop\/\">Docker Desktop<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/kind.sigs.k8s.io\/\">kind <\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/kubernetes.io\/docs\/reference\/kubectl\/\">kubectl <\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/krew.sigs.k8s.io\/\">krew <\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/int128\/kubelogin\">oidc login<\/a> (aka kubelogin) &nbsp;<\/li>\n\n\n\n<li>POSIX-compliant shell (such as Bash, Zsh, Ksh)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>You will also need a Microsoft Entra tenant and Okta Developer account. If you don\u2019t have these, check out the following links:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/%20entra\/fundamentals\/create-new-tenant#to-create-a-new-tenant\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Entra<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/developer.okta.com\/login\/\" target=\"_blank\" rel=\"noreferrer noopener\">Okta Developer<\/a>&nbsp;\n<ul class=\"wp-block-list\">\n<li>Hint: log in using GitHub or Google credentials.&nbsp;<\/li>\n\n\n\n<li>Once you have logged in, you will need to create an <a href=\"https:\/\/developer.okta.com\/docs\/guides\/create-an-api-token\/main\/\" target=\"_blank\" rel=\"noreferrer noopener\">API token<\/a> to create Okta resources with Terraform.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"demo-environment-setup-with-terraform\">Demo environment setup with Terraform&nbsp;<\/h2>\n\n\n\n<p>We\u2019ve created a simple Terraform configuration file to set up the demo environment.&nbsp;<\/p>\n\n\n\n<p>Start by opening a new terminal and create a new working directory.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nmkdir k8s-structured-auth-demo\ncd k8s-structured-auth-demo\n<\/pre><\/div>\n\n\n<p>Download the Terraform configuration file.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ncurl https:\/\/gist.githubusercontent.com\/pauldotyu\/bedf470baed79fb12a064bf1227e4fc5\/raw\/78b8feb630748ef650741e39aafa64758b132cb0\/k8s-structured-auth-demo-setup.tf -o main.tf\n<\/pre><\/div>\n\n\n<p>This configuration file will create the following and output several properties which will be used to configure structured authentication within the cluster:&nbsp;<\/p>\n\n\n\n<p>Okta:&nbsp;<\/p>\n\n\n\n<p>1. Create new group called k8s-readers&nbsp;<\/p>\n\n\n\n<p>2. Adds your user account to the new k8s-readers group&nbsp;<\/p>\n\n\n\n<p>3. Create a new OAuth application called k8s-oidc that:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses authorization code flow&nbsp;<\/li>\n\n\n\n<li>Redirects authentication requests to http:\/\/localhost:8000<\/li>\n<\/ul>\n\n\n\n<p>4. Adds new app to k8s-readers group&nbsp;<\/p>\n\n\n\n<p>5. Create auth server to enable authorization code flow and exposes group membership claims&nbsp;<\/p>\n\n\n\n<p>Microsoft Entra:&nbsp;<\/p>\n\n\n\n<p>1. Create a new security group called k8s-admins&nbsp;<\/p>\n\n\n\n<p>2. Adds your user account to the new k8s-admins group&nbsp;<\/p>\n\n\n\n<p>3. Create a new application registration called k8s-oidc that:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exposes group membership claims&nbsp;<\/li>\n\n\n\n<li>Redirects authentication requests to http:\/\/localhost:8000&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Before you run the Terraform script, you will need to set Okta variables for API access. Rather than setting these parameters each time, you can add your credentials to a file.&nbsp;<\/p>\n\n\n\n<p>Create a new <code>okta.auto.tfvars<\/code> file and add the following:&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nokta_org_name  = \"your_okta_org_name\" \nokta_api_token = \"your_okta_api_token\" \nokta_user      = \"your_okta_user_primary_email\" \n<\/pre><\/div>\n\n\n<p>Run the following commands to run the terraform configuration:&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nterraform init\nterraform apply\n<\/pre><\/div>\n\n\n<p>Give it a few seconds and you should see the output properties in your terminal.&nbsp;<\/p>\n\n\n\n<p>Export the output variables for later use.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nMSFT_ISSUER_URL=$(terraform output -raw microsoft_issuer_url)\nMSFT_TENANT_ID=$(terraform output -raw microsoft_tenant_id)\nMSFT_CLIENT_ID=$(terraform output -raw microsoft_client_id)\nMSFT_GROUP_ID=$(terraform output -raw microsoft_group_id)\nOKTA_ISSUER_URL=$(terraform output -raw okta_issuer_url)\nOKTA_CLIENT_ID=$(terraform output -raw okta_client_id)\n<\/pre><\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-kind-cluster-to-use-structured-authentication\">Configure kind cluster to use structured authentication&nbsp;<\/h2>\n\n\n\n<p>With kind, you customize cluster deployments by creating a configuration file which is passed during cluster creation. You can view the configuration file <a href=\"https:\/\/gist.github.com\/pauldotyu\/0390da968b44035d572550e8012eadad\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.&nbsp;<\/p>\n\n\n\n<p>To configure authentication, we mount a <code>structured-auth.yaml<\/code> file into the API server container using extraMounts and extraVolumes. The API server then utilizes a single authentication-config flag referencing this file.&nbsp;<\/p>\n\n\n\n<p>Run the following command to create the auth config with a Microsoft Entra as a JWT provider:&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; title: ; notranslate\" title=\"\">\ncat <<EOF > structured-auth.yaml\napiVersion: apiserver.config.k8s.io\/v1beta1\nkind: AuthenticationConfiguration\njwt:\n  - issuer:\n      url: https:\/\/login.microsoftonline.com\/$MSFT_TENANT_ID\/v2.0\n      audiences:\n        - $MSFT_CLIENT_ID\n    claimMappings:\n      username:\n        claim: \"email\"\n        prefix: \"\"\n      groups:\n        claim: \"groups\"\n        prefix: \"\"\nEOF\n<\/pre><\/div>\n\n\n<p>Run the following command to create a new kind cluster and configure JWT Authenticators using Structured Authentication Configuration.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; title: ; notranslate\" title=\"\">\nkind create cluster --config <(curl -s https:\/\/gist.githubusercontent.com\/pauldotyu\/0390da968b44035d572550e8012eadad\/raw\/a33000036b0839fc2699c456aedd3800f8dfa1a1\/structured-auth-kind-config.yaml)\n<\/pre><\/div>\n\n\n<p>With the structured authentication piece in place, we need to configure authorization to allow users that are members of the k8s-admin group to be cluster administrators. Run the following command to create the <code>ClusterRoleBinding:<\/code>&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; title: ; notranslate\" title=\"\">\nkubectl apply -f - <<EOF\u00a0\napiVersion: rbac.authorization.k8s.io\/v1\u00a0\nkind: ClusterRoleBinding\u00a0\nmetadata:\u00a0\n\u00a0 name: azure-cluster-admin\u00a0\nroleRef:\u00a0\n\u00a0 apiGroup: rbac.authorization.k8s.io\u00a0\n\u00a0 kind: ClusterRole\u00a0\n\u00a0 name: cluster-admin\u00a0\nsubjects:\u00a0\n- kind: Group\u00a0\n\u00a0 name: $MSFT_GROUP_ID\u00a0\nEOF\n<\/pre><\/div>\n\n\n<p>Without this <code>clusterrolebinding<\/code>, you will be authenticated but not authorized to do anything in the cluster.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"test-as-azure-user\">Test as Azure user&nbsp;<\/h2>\n\n\n\n<p>To test, add a new Azure user to kubeconfig, using the oidc-plugin with Microsoft Entra information for kubectl authentication.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl config set-credentials azure-user \\\n--exec-api-version=client.authentication.k8s.io\/v1 \\\n--exec-interactive-mode=Never \\\n--exec-command=kubectl \\\n--exec-arg=oidc-login \\\n--exec-arg=get-token \\\n--exec-arg=--oidc-issuer-url=${MSFT_ISSUER_URL} \\\n--exec-arg=--oidc-client-id=${MSFT_CLIENT_ID} \\\n--exec-arg=--oidc-extra-scope=\"email offline_access profile openid\"\n<\/pre><\/div>\n\n\n<p>With the user in place, we can test actions as that user. Run the following commands and confirm you are redirected to login commands run successfully:&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl run myhttpd --user=azure-user --image=httpd:alpine\nkubectl expose pod myhttpd --user=azure-user --port 80\n<\/pre><\/div>\n\n\n<p>You will be redirected to a browser window where you can login and grant permissions requested by the application. Upon successful login, your user account will have full cluster admin privileges, enabling you to create any Kubernetes resource.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"add-another-jwt-provider\">Add another JWT provider&nbsp;<\/h2>\n\n\n\n<p>The structured authentication config currently supports one JWT provider which is no different than existing utilizing OIDC flags in the kube-apiserver. Its power lies in the ability to add further JWT providers without needing to restart the kube-apiserver.&nbsp;<\/p>\n\n\n\n<p>Run the following command to drop in a new Okta-based JWT provider:&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; title: ; notranslate\" title=\"\">\ncat <<EOF >> structured-auth.yaml\n  - issuer:\n      url: $OKTA_ISSUER_URL\n      audiences:\n      - $OKTA_CLIENT_ID\n    claimMappings:\n      username:\n        claim: \"email\"\n        prefix: \"\"\n      groups:\n        claim: \"groups\"\n        prefix: \"\"\nEOF\n<\/pre><\/div>\n\n\n<p>Because kind clusters run in Docker containers, you can exec into the control plane Pod to verify the structured-auth file has been updated.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ndocker exec -it kind-control-plane cat \/etc\/kubernetes\/structured-auth.yaml\n<\/pre><\/div>\n\n\n<p>Check the kube-apiserver logs to see the configuration reloaded automatically\u2014without restarting the apiserver. Wait 5-7 seconds, then run the verification command.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ndocker exec -it kind-control-plane sh -c \"cat \/var\/log\/containers\/kube-apiserver-kind-control-plane_kube-system_kube-apiserver-*.log\"\n<\/pre><\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"test-as-okta-user\">Test as Okta user&nbsp;<\/h2>\n\n\n\n<p>Create the Role and RoleBinding, assigning read access to Pods and Services to users within the \u2018k8s-readers\u2019 group.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl apply -f https:\/\/gist.githubusercontent.com\/pauldotyu\/823a6bb1e73c3ac3ac1b2311429249f0\/raw\/1eb34efcc453e5024361fb7f486c03b401453994\/okta-po-svc-reader.yaml\n<\/pre><\/div>\n\n\n<p>Add the Okta user to kubeconfig.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl config set-credentials okta-user \\\n--exec-api-version=client.authentication.k8s.io\/v1beta1 \\\n--exec-command=kubectl \\\n--exec-arg=oidc-login \\\n--exec-arg=get-token \\\n--exec-arg=--oidc-issuer-url=${OKTA_ISSUER_URL} \\\n--exec-arg=--oidc-client-id=${OKTA_CLIENT_ID} \\\n--exec-arg=--oidc-extra-scope=\"email offline_access profile openid\"\n<\/pre><\/div>\n\n\n<p>Run these commands to verify you were redirected to the Okta login page\u2014you are not authorized to create Pods or view Node information.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl run mybusybox --user=okta-user --image=busybox --restart=Never --command -- sleep 3600 \nkubectl get nodes --user=okta-user \n<\/pre><\/div>\n\n\n<p>However, the created Role and RoleBinding <em>does<\/em> allow you to view Pod and Service information\u2014 confirm this by running the following commands.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl get po --user=okta-user\nkubectl get svc --user=okta-user\n<\/pre><\/div>\n\n\n<p>And just like that\u2014we can drop in new JWT providers on the fly without needing to reboot the kube-apiserver! That\u2019s pretty slick, isn't it?&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"add-claim-validation-rule-with-cel\">Add Claim Validation Rule with CEL&nbsp;<\/h2>\n\n\n\n<p>Structured authentication unlocks powerful features like claim validation and claim mappings\u2014all built using <a href=\"https:\/\/kubernetes.io\/docs\/reference\/using-api\/cel\/\" target=\"_blank\" rel=\"noreferrer noopener\">Common Expression Language<\/a> (CEL)! With CEL, you can define complex rules and enforce organizational policies. Run the following command to add a rule that only allows users with a name starting with \u2018Bob\u2019 to authenticate into the kube-apiserver:&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; title: ; notranslate\" title=\"\">\ncat <<EOF >> structured-auth.yaml\n    claimValidationRules:\n      - expression: \"claims.name.startsWith('Bob')\"\n        message: only people named Bob are allowed\nEOF\n<\/pre><\/div>\n\n\n<p>Re-run the commands to verify the structured-auth file is updated and reloaded.&nbsp;<\/p>\n\n\n\n<p>Since claim validations occur when the JWT token is evaluated, you\u2019ll need to reset the OIDC token cache to trigger a new authentication.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl oidc-login clean\n<\/pre><\/div>\n\n\n<p>Run the following commands and confirm that what used to work is no longer successful\u2014unless your name <strong><em>is<\/em><\/strong> Bob \ud83d\ude05.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl get po --user=okta-user\nkubectl get svc --user=okta-user\n<\/pre><\/div>\n\n\n<p>Now, let\u2019s change the config to use your name. Using the nano editor, find the name \u2018Bob\u2019 and replace it with your name.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nnano structured-auth.yaml\n<\/pre><\/div>\n\n\n<p>Reset OIDC token cache.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkubectl oidc-login clean\n<\/pre><\/div>\n\n\n<p>Run the following commands again\u2014you should now be able to view Pod and Service data!&nbsp;<\/p>\n\n\n\n<p>Structured authentication supports any JWT-compliant token provider, giving you the power to define custom claim mapping logic using CEL expressions. This allows you to create a highly tailored and flexible authentication process.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"summary-1\">Summary&nbsp;<\/h2>\n\n\n\n<p>With this practical guide, you now know how to secure your Kubernetes cluster using the structured \u2013authentication feature, offering flexible integration with any JWT-compliant token provider. Its core strength lies in the ability to define granular access control via CEL, enabling you to extract and validate token claims against Kubernetes user attributes such as usernames and groups. This enables the use of complex logic to determine whether a token should be trusted\u2014ensuring a highly customizable and secure authentication experience.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"cleanup\">Cleanup&nbsp;<\/h2>\n\n\n\n<p>Once you\u2019re done testing and exploring, run the following commands to clean up your environment.&nbsp;<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nkind delete cluster\u00a0\nkubectl config delete-user azure-user\u00a0\nkubectl config delete-user okta-user\u00a0\nkubectl oidc-login clean\u00a0\nterraform destroy --auto-approve\u00a0\n<\/pre><\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"what-s-next\">What's next?&nbsp;<\/h2>\n\n\n\n<p>This upstream development\u2014benefiting the entire Kubernetes community\u2014is also being actively implemented for AKS customers, delivering a secure authentication solution with an emphasis on providing an intuitive user experience. We welcome your feedback and feature requests as we continue this work. For more details, check out the resources linked below.&nbsp;<\/p>\n\n\n<div class=\"wp-block-msxcm-cta-block\" data-moray data-bi-an=\"CTA Block\">\n\t<div class=\"card d-block mx-ng mx-md-0\">\n\t\t<div class=\"row no-gutters material-color-brand-dark\">\n\n\t\t\t\t\t\t\t<div class=\"col-md-4\">\n\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"605\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/11\/1.16-CTA-Correct.jpg\" class=\"card-img img-object-cover\" alt=\"developer on computer\" srcset=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/11\/1.16-CTA-Correct.jpg 600w, https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/11\/1.16-CTA-Correct-385x388.jpg 385w, https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/11\/1.16-CTA-Correct-150x150.jpg 150w, https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/11\/1.16-CTA-Correct-446x450.jpg 446w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/>\t\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"d-flex col-md\">\n\t\t\t\t<div class=\"card-body align-self-center p-4 p-md-5\">\n\t\t\t\t\t\n\t\t\t\t\t<h2>Azure Kubernetes Service<\/h2>\n\n\t\t\t\t\t<div class=\"mb-3\">\n\t\t\t\t\t\t<p>Deploy and scale containers on managed Kubernetes.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"link-group\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/azure.microsoft.com\/en-us\/products\/kubernetes-service\" class=\"btn btn-link text-decoration-none p-0\" target=\"_blank\">\n\t\t\t\t\t\t\t\t<span>Get started<\/span>\n\t\t\t\t\t\t\t\t<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span>\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"references-and-call-to-action\">References and call to action&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/kubernetes.io\/blog\/2024\/04\/25\/structured-authentication-moves-to-beta\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes 1.30: Structured Authentication Configuration Moves to Beta<\/a>.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/#openid-connect-tokens\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes API Access Control: Authenticating with OpenID Connect Tokens<\/a>.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/kubernetes.io\/docs\/reference\/using-api\/cel\/\" target=\"_blank\" rel=\"noreferrer noopener\">Common Expression Language in Kubernetes<\/a>.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/app-objects-and-service-principals?tabs=browser\" target=\"_blank\" rel=\"noreferrer noopener\">Application and service principal objects in Microsoft Entra ID<\/a>.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/v2-oauth2-auth-code-flow\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft identity platform and OAuth 2.0 authorization code flow<\/a>.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/kubernetes\/enhancements\/tree\/master\/keps\/sig-auth\/3331-structured-authentication-configuration\" target=\"_blank\" rel=\"noreferrer noopener\">KEP-3331: Structured Authentication Config<\/a>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>With this practical guide, you now know how to secure your Kubernetes cluster using the structured-authentication feature, offering flexible integration with any JWT-compliant token provider.<\/p>\n","protected":false},"author":6153,"featured_media":95492,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[308,218],"content-type":[361],"topic":[2242],"programming-languages":[],"coauthors":[2600,1884],"class_list":["post-97388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-azure-kubernetes-service","tag-terraform","content-type-project-updates","topic-containers","review-flag-1593580428-734","review-flag-1593580771-946","review-flag-1-1593580432-963","review-flag-2-1593580437-411","review-flag-3-1593580442-169","review-flag-4-1593580448-609","review-flag-5-1593580453-725","review-flag-7-1593580463-151","review-flag-never-1593580314-283","review-flag-new-1593580248-669"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>JWT it like it&#039;s hot: A practical guide for Kubernetes Structured Authentication | Microsoft Open Source Blog<\/title>\n<meta name=\"description\" content=\"With this practical guide, you now know how to secure your Kubernetes cluster using the structured authentication feature, offering flexible integration with any JWT-compliant token provider. Learn more.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"JWT it like it&#039;s hot: A practical guide for Kubernetes Structured Authentication | Microsoft Open Source Blog\" \/>\n<meta property=\"og:description\" content=\"With this practical guide, you now know how to secure your Kubernetes cluster using the structured authentication feature, offering flexible integration with any JWT-compliant token provider. Learn more.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Open Source Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-30T23:55:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1170\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Paul Yu, Anish Ramasekar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:site\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paul Yu, Anish Ramasekar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\"},\"author\":[{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/author\/paul-yu\/\",\"@type\":\"Person\",\"@name\":\"Paul Yu\"},{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/author\/anish-ramasekar\/\",\"@type\":\"Person\",\"@name\":\"Anish Ramasekar\"}],\"headline\":\"JWT it like it&#8217;s hot: A practical guide for Kubernetes Structured Authentication\",\"datePublished\":\"2025-05-08T15:00:00+00:00\",\"dateModified\":\"2025-05-30T23:55:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\"},\"wordCount\":1435,\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp\",\"keywords\":[\"Azure Kubernetes Service\",\"Terraform\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\",\"name\":\"JWT it like it's hot: A practical guide for Kubernetes Structured Authentication | Microsoft Open Source Blog\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp\",\"datePublished\":\"2025-05-08T15:00:00+00:00\",\"dateModified\":\"2025-05-30T23:55:36+00:00\",\"description\":\"With this practical guide, you now know how to secure your Kubernetes cluster using the structured authentication feature, offering flexible integration with any JWT-compliant token provider. Learn more.\",\"breadcrumb\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp\",\"width\":1170,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/opensource.microsoft.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"JWT it like it&#8217;s hot: A practical guide for Kubernetes Structured Authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"name\":\"Microsoft Open Source Blog\",\"description\":\"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability\",\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\",\"name\":\"Microsoft Open Source Blog\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft Open Source Blog\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/OpenAtMicrosoft\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"JWT it like it's hot: A practical guide for Kubernetes Structured Authentication | Microsoft Open Source Blog","description":"With this practical guide, you now know how to secure your Kubernetes cluster using the structured authentication feature, offering flexible integration with any JWT-compliant token provider. Learn more.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/","og_locale":"en_US","og_type":"article","og_title":"JWT it like it's hot: A practical guide for Kubernetes Structured Authentication | Microsoft Open Source Blog","og_description":"With this practical guide, you now know how to secure your Kubernetes cluster using the structured authentication feature, offering flexible integration with any JWT-compliant token provider. Learn more.","og_url":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/","og_site_name":"Microsoft Open Source Blog","article_published_time":"2025-05-08T15:00:00+00:00","article_modified_time":"2025-05-30T23:55:36+00:00","og_image":[{"width":1170,"height":640,"url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.png","type":"image\/png"}],"author":"Paul Yu, Anish Ramasekar","twitter_card":"summary_large_image","twitter_creator":"@OpenAtMicrosoft","twitter_site":"@OpenAtMicrosoft","twitter_misc":{"Written by":"Paul Yu, Anish Ramasekar","Est. reading time":"8 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#article","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/"},"author":[{"@id":"https:\/\/opensource.microsoft.com\/blog\/author\/paul-yu\/","@type":"Person","@name":"Paul Yu"},{"@id":"https:\/\/opensource.microsoft.com\/blog\/author\/anish-ramasekar\/","@type":"Person","@name":"Anish Ramasekar"}],"headline":"JWT it like it&#8217;s hot: A practical guide for Kubernetes Structured Authentication","datePublished":"2025-05-08T15:00:00+00:00","dateModified":"2025-05-30T23:55:36+00:00","mainEntityOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/"},"wordCount":1435,"publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp","keywords":["Azure Kubernetes Service","Terraform"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/","url":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/","name":"JWT it like it's hot: A practical guide for Kubernetes Structured Authentication | Microsoft Open Source Blog","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp","datePublished":"2025-05-08T15:00:00+00:00","dateModified":"2025-05-30T23:55:36+00:00","description":"With this practical guide, you now know how to secure your Kubernetes cluster using the structured authentication feature, offering flexible integration with any JWT-compliant token provider. Learn more.","breadcrumb":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#primaryimage","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/WIN23_PRO_Acer_Concept_D_Office_003.webp","width":1170,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/opensource.microsoft.com\/blog\/2025\/05\/08\/jwt-it-like-its-hot-a-practical-guide-for-kubernetes-structured-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/opensource.microsoft.com\/blog\/"},{"@type":"ListItem","position":2,"name":"JWT it like it&#8217;s hot: A practical guide for Kubernetes Structured Authentication"}]},{"@type":"WebSite","@id":"https:\/\/opensource.microsoft.com\/blog\/#website","url":"https:\/\/opensource.microsoft.com\/blog\/","name":"Microsoft Open Source Blog","description":"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability","publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/opensource.microsoft.com\/blog\/#organization","name":"Microsoft Open Source Blog","url":"https:\/\/opensource.microsoft.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft Open Source Blog"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/OpenAtMicrosoft"]}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Open Source Blog","distributor_original_site_url":"https:\/\/opensource.microsoft.com\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/97388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/users\/6153"}],"replies":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=97388"}],"version-history":[{"count":36,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/97388\/revisions"}],"predecessor-version":[{"id":97516,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/97388\/revisions\/97516"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media\/95492"}],"wp:attachment":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=97388"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/post_tag?post=97388"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/content-type?post=97388"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/topic?post=97388"},{"taxonomy":"programming-languages","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/programming-languages?post=97388"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/coauthors?post=97388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}