MTNPCGCG
commented
4 years ago It does look the alternate option here is just to implement a separate authenticate call to create a token and store it to a file, then using tokenfile for the client.
Open MTNPCGCG opened 4 years ago
MTNPCGCG
commented
4 years ago It does look the alternate option here is just to implement a separate authenticate call to create a token and store it to a file, then using tokenfile for the client.
sgnn7
commented
4 years ago @MTNPCGCG Your second comment is spot on and it's definitely a desired feature. We do need a way to specify where to find that OIDC token file as the added functionality to support this.
MTNPCGCG
commented
4 years ago sgnn, I've proposed https://github.com/cyberark/conjur-api-go/pull/55 for this. I actually opted to not to token file backed at present; it's a bit of choice on what approach to take. Since we're wiring this into an application, this is easier. If you were going to use the token file. If someone wants to take a variation of this that does use the token file instead, they're welcome to.
Would like to see support for the conjur OIDC provider.
The authenticator shouldn't try to handle OIDC login flows - instead it should just take a ID token. The refresh/login flow should be the concern of code that is invoking this module. It does mean, though, that the authenticator may have be updated with a new ID Token on occasion