The token cache key computation did not include the AuthRequestExtraParams
values from the --oidc-auth-request-extra-params flag. This caused tokens
with different extra parameters (e.g., different audience values) to
incorrectly share the same cache entry.
Changes:
- Add AuthRequestExtraParams field to tokencache.Key struct
- Add AuthRequestExtraParams() method to GrantOptionSet to extract
extra params from whichever grant option is set
- Update get_token.go to include extra params in cache key
- Add comprehensive tests for cache key differentiation
Fixes#1496
* Added key cache via OS keyring
* Fix lint issue
* Disable keyring in integration tests
* Disable keyring in system test
---------
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Infer apiVersion from KUBERNETES_EXEC_INFO
* Test client.authentication.k8s.io/v1
* Set --exec-interactive-mode
* Set --exec-interactive-mode=Never
* Fix comments
* Add new `--oidc-use-access-token` flag to `get-token`
Implements https://github.com/int128/kubelogin/issues/1083. See
description there for context.
In its current form, this PR is bare bones functionality. I have not yet
added any tests to confirm this behavior. Additionally, we could
consider updtating some of the naming. It is confusing to return a
`TokenSet` where `IDToken` actually has an `accessToken`. I'm open to
feedback on how best to improve this.
However, this PR is functional. I have validated it locally. Without
adding `--oidc-use-access-token`, and `id_token` is successfully
returned. Adding `--oidc-use-access-token` results in an `access_token`
being successfully returned.
* Fix failing tests
Needed to plumb through our new parameter `UseAccessToken` to the mocks
as well.
* Add a test to make sure new flag is plumbed through
* Support Access Tokens whose audience differ from the client_id
As noted in the PR, there are some cases where the access token `aud`
field will not be the `client_id`. To allow for these, we use a
different token verifier that will not verify that claim.
---------
Co-authored-by: Adam kafka <akafka@tesla.com>
* feat(389): Prevent concurrent authentication using a lockfile to protect the local port allocation.
* Fix test
* Refactor: inline values
Co-authored-by: Hidetake Iwata <int128@gmail.com>
* Refactor: remove kubeconfig.OIDCConfig for single responsibility
* fixup: add comments and rename methods
* fixup: fix methods name
* fixup: replace GetX509OrNil with SetRootCAs
