kubelogin icon indicating copy to clipboard operation
kubelogin copied to clipboard

Published 20 hours ago verified publisher icon int128

Use offline_access scope instead of access_type parameter

Open int128 opened this issue 5 years ago • 0 comments

Describe the issue

Currently access_type=offline parameter is set to get a refresh token but some providers do not support it.

https://github.com/int128/kubelogin/blob/14e58ac4c2e4e8b57bc0eb3823388b4ada58917c/pkg/adaptors/oidcclient/oidcclient.go#L118

It would be better to use instead offline_access scope defined in OpenID Connect:

https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess OpenID Connect defines the following scope value to request offline access:

offline_access OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).

ref: https://github.com/int128/kubelogin/pull/396

Google Identity Platform

It returns a refresh token by access_type=offline parameter. As far as I tested, it does not support offline_access scope.

Error 400: invalid_scope Some requested scopes were invalid. {valid=[openid], invalid=[offline_access]}

Okta

It requires offline_access scope to get a refresh token. See https://developer.okta.com/docs/guides/refresh-tokens/get-refresh-token/.

Proposal

offline_access scope is not supported by all providers so it would be difficult to switch immediately.

Keep the current spec (sending access_type=offline always) and add an explanation of offline_access scope to the doc like #396.

int128 avatar Oct 24 '20 00:10 int128