Open jacobtomlinson opened 1 year ago
Here's an Apache 2.0 Licensed implementation frompykube-ng
that might be useful for reference when implementing the JWT token refreshing.
Our organization prohibits refresh tokens with OIDC to optimize security. We would greatly appreciate it if kr8s didn't assume the presence of a refresh-token field in the Kubernetes configuration file, and returned a 401 when the token was expired.
Ok I've opened #126 which just uses the OIDC token directly with no refreshing. This was pretty quick to implement.
We probably do want to support refreshing too if other libraries do that, but as @droctothorpe we only want to do that if a refresh-token
field is present.
Looking at pykube-ng
s implementation they seem to do the following:
.kube/config
.I would be interested to dig into other libraries and see if they do any of this validation/refreshing/writing as it feels a little out of scope. But equally if everyone is doing it we probably should too.
Looking at the Kubernetes go-client
they check the expiry of the token and if it is expired (or will in the next 10 seconds) they refresh it. I haven't yet found where that gets written back to the config, but I assume it must happen in kubectl
somewhere.
In #126 I added support for authenticating with an OIDC token. However, I did not implement automatically refreshing that token.
This issue tracks adding token refreshing.