* Recognize path from redirect url in callback server
* Fix lint error and refactor
---------
Co-authored-by: Andrew Baxter <>
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Issue 931: Support Client Credentials Flow
* Move client-credentials to use --oidc-auth-request-extra-params
* Missed a file in moving to --oidc-auth-request-extra-params
* Support --oidc-use-access-token
* make generate
---------
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Add new `--oidc-use-access-token` flag to `get-token`
Implements https://github.com/int128/kubelogin/issues/1083. See
description there for context.
In its current form, this PR is bare bones functionality. I have not yet
added any tests to confirm this behavior. Additionally, we could
consider updtating some of the naming. It is confusing to return a
`TokenSet` where `IDToken` actually has an `accessToken`. I'm open to
feedback on how best to improve this.
However, this PR is functional. I have validated it locally. Without
adding `--oidc-use-access-token`, and `id_token` is successfully
returned. Adding `--oidc-use-access-token` results in an `access_token`
being successfully returned.
* Fix failing tests
Needed to plumb through our new parameter `UseAccessToken` to the mocks
as well.
* Add a test to make sure new flag is plumbed through
* Support Access Tokens whose audience differ from the client_id
As noted in the PR, there are some cases where the access token `aud`
field will not be the `client_id`. To allow for these, we use a
different token verifier that will not verify that claim.
---------
Co-authored-by: Adam kafka <akafka@tesla.com>
