We need kubectl to request for consent from the user once their id_token has expired. However, having the refresh_token always being requested for by this code makes that impossible to do so.
Our security standards require that no long-lived tokens be present in the kubectl user's machine and refresh_token is one of them. While we understand that this presents an inconvenience to the user everytime id_token expires, we believe it is minimal
Your idea (how)
Add an option to the oidc-login get-token command named --access-type which can either be offline (default) or online.
Purpose of the feature (why)
We need
kubectl
to request for consent from the user once theirid_token
has expired. However, having therefresh_token
always being requested for by this code makes that impossible to do so.Our security standards require that no long-lived tokens be present in the kubectl user's machine and
refresh_token
is one of them. While we understand that this presents an inconvenience to the user everytimeid_token
expires, we believe it is minimalYour idea (how)
Add an option to the
oidc-login get-token
command named--access-type
which can either beoffline
(default) oronline
.