We need kubectl to request for consent from the user once their id_token has expired. However, having the refresh_token always being requested for by this code makes that impossible to do so.
Our security standards require that no long-lived tokens be present in the kubectl user's machine and refresh_token is one of them. While we understand that this presents an inconvenience to the user everytime id_token expires, we believe it is minimal
Your idea (how)
Add an option to the oidc-login get-token command named --access-type which can either be offline (default) or online.
Purpose of the feature (why)
We need
kubectlto request for consent from the user once theirid_tokenhas expired. However, having therefresh_tokenalways being requested for by this code makes that impossible to do so.Our security standards require that no long-lived tokens be present in the kubectl user's machine and
refresh_tokenis one of them. While we understand that this presents an inconvenience to the user everytimeid_tokenexpires, we believe it is minimalYour idea (how)
Add an option to the
oidc-login get-tokencommand named--access-typewhich can either beoffline(default) oronline.