search

int128 / kubelogin

kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Apache License 2.0
1.66k stars 191 forks source link

`--oidc-use-access-token` incorrectly hits cache #1132

Open garryod opened 2 weeks ago

garryod commented 2 weeks ago

Describe the issue

The recently added (#1084) --oidc-use-access-token argument appears not to be taken into account when determining if the cached token should be used. Therefore when kubectl oidc-login get-token is called with --oidc-use-access-token shortly after it is called without (or vice versa) the same token is returned.

Removing the --token-cache-dir between invocations results in a new token being fetched

To reproduce

diff here exits without finding any differences (status code 0)

kubectl oidc-login get-token --oidc-issuer-url=<ISSUER> --oidc-client-id=<CLIENT_ID> --grant-type=password | jq -r '.status.token' > id_token.txt
kubectl oidc-login get-token --oidc-issuer-url=<ISSUER> --oidc-client-id=<CLIENT_ID> --grant-type=password --oidc-use-access-token | jq -r '.status.token' > access_token.txt
diff id_token.txt access_token.txt

or

kubectl oidc-login get-token --oidc-issuer-url=<ISSUER> --oidc-client-id=<CLIENT_ID> --grant-type=password --oidc-use-access-token | jq -r '.status.token' > access_token.txt
kubectl oidc-login get-token --oidc-issuer-url=<ISSUER> --oidc-client-id=<CLIENT_ID> --grant-type=password | jq -r '.status.token' > id_token.txt
diff id_token.txt access_token.txt

Your environment