kubectl icon indicating copy to clipboard operation
kubectl copied to clipboard
verified publisher icon kubernetes

OIDC token update failing in v1.25.2

Open dimm0 opened this issue 3 years ago • 2 comments

What happened:

The JWT OIDC tokens from CILogon that used to work perfectly for years can’t be refreshed in kubectl 1.25.2.

Error:

Unable to connect to the server: failed to refresh token: oauth2: cannot fetch token: 400 Bad Request Response: {"error":"invalid_grant","error_description":"invalid refresh token"}

What you expected to happen: Token refreshes fine.

How to reproduce it (as minimally and precisely as possible): Set up the "public” OIDC client at https://www.cilogon.org/oidc Set up k8s auth for this client Get token, wait 15 minutes, see it broken.

Anything else we need to know?:

Environment:

  • Kubernetes client and server versions (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"5835544ca568b757a8ecae5c153f317e5736700e", GitTreeState:"clean", BuildDate:"2022-09-21T14:25:45Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.12", GitCommit:"b058e1760c79f46a834ba59bd7a3486ecf28237d", GitTreeState:"clean", BuildDate:"2022-07-13T14:53:39Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration: kubeadm, baremetal
  • OS (e.g: cat /etc/os-release): MacOS+brew

dimm0 avatar Oct 07 '22 03:10 dimm0

@dimm0: This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Oct 07 '22 03:10 k8s-ci-robot

@dimm0 can you please test with older versions of kubectl and determine the last version that works?

Also your version skew from your client is unsupported.

eddiezane avatar Oct 12 '22 16:10 eddiezane

Can’t reproduce with versions downloaded from github. Closing (might be the brew version issue?)

dimm0 avatar Oct 19 '22 19:10 dimm0