Spike: implement OIDC token refreshing in the `cf` CLI

[gcapizzi]

Background

Refresh tokens are a way for OAuth2/OIDC clients to stay authenticated after their access/ID token has expired by exchanging a separate refresh token for a new access/ID token. cf already does this with UAA. In absence of token refreshing, the user needs to login again every time their token expires.

After #33 we know that we want to implement refresh tokens, as:

• Authorization Code (which supports refresh tokens) seems to be the best flow to implement;
• Short-lived authentication tokens + refresh tokens is much more secure than long-lived authentication tokens;
• Short-lived authentication tokens without refresh tokens lead to poor user experience;
• Expiry times for tokens are part of the identity provider configuration and outside of our control.

More details in OAuth 2.0 Simplified.

Deliverables

A fork of cf that can refresh OIDC tokens obtained using the oidc-login plugin.

Dev Notes

We know that, in order to get a refresh token from an OIDC provider, the offline_access scope needs to be requested. Unfortunately not all providers implement it, so we'll need to use the scopes_supported OIDC Discovery claim, which in turn is not supported by all providers 😓 . The Dex example-app handles this here.

[gcapizzi]

We are shifting our approach to supporting $KUBECONFIG instead. We still need to figure out token refreshing as part of supporting the OIDC auth-provider, so we'll carry on there.