The token cache key computation did not include the AuthRequestExtraParams
values from the --oidc-auth-request-extra-params flag. This caused tokens
with different extra parameters (e.g., different audience values) to
incorrectly share the same cache entry.
Changes:
- Add AuthRequestExtraParams field to tokencache.Key struct
- Add AuthRequestExtraParams() method to GrantOptionSet to extract
extra params from whichever grant option is set
- Update get_token.go to include extra params in cache key
- Add comprehensive tests for cache key differentiation
Fixes#1496
* Issue 931: Support Client Credentials Flow
* Move client-credentials to use --oidc-auth-request-extra-params
* Missed a file in moving to --oidc-auth-request-extra-params
* Support --oidc-use-access-token
* make generate
---------
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Add new `--oidc-use-access-token` flag to `get-token`
Implements https://github.com/int128/kubelogin/issues/1083. See
description there for context.
In its current form, this PR is bare bones functionality. I have not yet
added any tests to confirm this behavior. Additionally, we could
consider updtating some of the naming. It is confusing to return a
`TokenSet` where `IDToken` actually has an `accessToken`. I'm open to
feedback on how best to improve this.
However, this PR is functional. I have validated it locally. Without
adding `--oidc-use-access-token`, and `id_token` is successfully
returned. Adding `--oidc-use-access-token` results in an `access_token`
being successfully returned.
* Fix failing tests
Needed to plumb through our new parameter `UseAccessToken` to the mocks
as well.
* Add a test to make sure new flag is plumbed through
* Support Access Tokens whose audience differ from the client_id
As noted in the PR, there are some cases where the access token `aud`
field will not be the `client_id`. To allow for these, we use a
different token verifier that will not verify that claim.
---------
Co-authored-by: Adam kafka <akafka@tesla.com>
* Add --oidc-extra-url-params argument
This accepts a comma-separated list of key-value pairs that will be
added to get token requests as query string parameters.
Closes#254.
* Refactor
- move code setting the extra params to the authorization code flow specific functions (it is not needed in ROPC flow)
- add unit tests
- rename flag to --oidc-auth-request-extra-params
- add description to README.md
* Add integration test for --oidc-auth-request-extra-params
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Refactor: remove kubeconfig.OIDCConfig for single responsibility
* fixup: add comments and rename methods
* fixup: fix methods name
* fixup: replace GetX509OrNil with SetRootCAs
