kr8s-org / kr8s

A batteries-included Python client library for Kubernetes that feels familiar for folks who already know how to use kubectl
https://kr8s.org
BSD 3-Clause "New" or "Revised" License
848 stars 45 forks source link

Refresh expired OIDC tokens #125

Open jacobtomlinson opened 1 year ago

jacobtomlinson commented 1 year ago

In #126 I added support for authenticating with an OIDC token. However, I did not implement automatically refreshing that token.

This issue tracks adding token refreshing.

jacobtomlinson commented 1 year ago

Here's an Apache 2.0 Licensed implementation frompykube-ng that might be useful for reference when implementing the JWT token refreshing.

https://codeberg.org/hjacobs/pykube-ng/src/commit/c1ac2c97587249e418d04d91f1297d4ffe3631c3/pykube/http.py#L282

droctothorpe commented 1 year ago

Our organization prohibits refresh tokens with OIDC to optimize security. We would greatly appreciate it if kr8s didn't assume the presence of a refresh-token field in the Kubernetes configuration file, and returned a 401 when the token was expired.

jacobtomlinson commented 1 year ago

Ok I've opened #126 which just uses the OIDC token directly with no refreshing. This was pretty quick to implement.

We probably do want to support refreshing too if other libraries do that, but as @droctothorpe we only want to do that if a refresh-token field is present.

Looking at pykube-ngs implementation they seem to do the following:

I would be interested to dig into other libraries and see if they do any of this validation/refreshing/writing as it feels a little out of scope. But equally if everyone is doing it we probably should too.

jacobtomlinson commented 1 year ago

Looking at the Kubernetes go-client they check the expiry of the token and if it is expired (or will in the next 10 seconds) they refresh it. I haven't yet found where that gets written back to the config, but I assume it must happen in kubectl somewhere.

https://github.com/kubernetes/client-go/blob/c5b1c13ccbedeb03c00ba162ef27566b0dfb512d/plugin/pkg/client/auth/oidc/oidc.go#L221-L288