kr8s-org
Refresh expired OIDC tokens
In #126 I added support for authenticating with an OIDC token. However, I did not implement automatically refreshing that token.
This issue tracks adding token refreshing.
Here's an Apache 2.0 Licensed implementation frompykube-ng that might be useful for reference when implementing the JWT token refreshing.
https://codeberg.org/hjacobs/pykube-ng/src/commit/c1ac2c97587249e418d04d91f1297d4ffe3631c3/pykube/http.py#L282
Our organization prohibits refresh tokens with OIDC to optimize security. We would greatly appreciate it if kr8s didn't assume the presence of a refresh-token field in the Kubernetes configuration file, and returned a 401 when the token was expired.
Ok I've opened #126 which just uses the OIDC token directly with no refreshing. This was pretty quick to implement.
We probably do want to support refreshing too if other libraries do that, but as @droctothorpe we only want to do that if a refresh-token field is present.
Looking at pykube-ngs implementation they seem to do the following:
- Decode the token and check the validity of the format against the OIDC token spec.
- Check the expiry isn't very soon.
- If invalid or expired make a request to refresh the token.
- Write the token back to
.kube/config.
I would be interested to dig into other libraries and see if they do any of this validation/refreshing/writing as it feels a little out of scope. But equally if everyone is doing it we probably should too.
Looking at the Kubernetes go-client they check the expiry of the token and if it is expired (or will in the next 10 seconds) they refresh it. I haven't yet found where that gets written back to the config, but I assume it must happen in kubectl somewhere.
https://github.com/kubernetes/client-go/blob/c5b1c13ccbedeb03c00ba162ef27566b0dfb512d/plugin/pkg/client/auth/oidc/oidc.go#L221-L288