The token cache key computation did not include the AuthRequestExtraParams
values from the --oidc-auth-request-extra-params flag. This caused tokens
with different extra parameters (e.g., different audience values) to
incorrectly share the same cache entry.
Changes:
- Add AuthRequestExtraParams field to tokencache.Key struct
- Add AuthRequestExtraParams() method to GrantOptionSet to extract
extra params from whichever grant option is set
- Update get_token.go to include extra params in cache key
- Add comprehensive tests for cache key differentiation
Fixes#1496
* Recognize path from redirect url in callback server
* Fix lint error and refactor
---------
Co-authored-by: Andrew Baxter <>
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Issue 931: Support Client Credentials Flow
* Move client-credentials to use --oidc-auth-request-extra-params
* Missed a file in moving to --oidc-auth-request-extra-params
* Support --oidc-use-access-token
* make generate
---------
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Added key cache via OS keyring
* Fix lint issue
* Disable keyring in integration tests
* Disable keyring in system test
---------
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Infer apiVersion from KUBERNETES_EXEC_INFO
* Test client.authentication.k8s.io/v1
* Set --exec-interactive-mode
* Set --exec-interactive-mode=Never
* Fix comments
* Add new `--oidc-use-access-token` flag to `get-token`
Implements https://github.com/int128/kubelogin/issues/1083. See
description there for context.
In its current form, this PR is bare bones functionality. I have not yet
added any tests to confirm this behavior. Additionally, we could
consider updtating some of the naming. It is confusing to return a
`TokenSet` where `IDToken` actually has an `accessToken`. I'm open to
feedback on how best to improve this.
However, this PR is functional. I have validated it locally. Without
adding `--oidc-use-access-token`, and `id_token` is successfully
returned. Adding `--oidc-use-access-token` results in an `access_token`
being successfully returned.
* Fix failing tests
Needed to plumb through our new parameter `UseAccessToken` to the mocks
as well.
* Add a test to make sure new flag is plumbed through
* Support Access Tokens whose audience differ from the client_id
As noted in the PR, there are some cases where the access token `aud`
field will not be the `client_id`. To allow for these, we use a
different token verifier that will not verify that claim.
---------
Co-authored-by: Adam kafka <akafka@tesla.com>
This adds a check for the existence of a (non-empty) `KUBECACHEDIR`
environment variable that will be used to construct the cache directory
path if present.
