-
-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support auth without refresh tokens #775
Comments
Could you share a small example of this happening? |
Here's what the users:
- name: <obfuscated>
user:
auth-provider:
config:
client-id: <obfuscated>
client-secret: <obfuscated>
extra-scopes: <obfuscated>
id-token: <obfuscated>
idp-issuer-url: <obfuscated>
name: <obfuscated> In particular, please note the absence of a |
We are slowly transitioning You've obfuscated the name of the auth-provider from your config. Can I just check that it is I haven't implemented OIDC in Now is a good opportunity to influence the design of that implementation so knowing that |
We use OIDC. The tokens are relatively long-lived and we provide an out of band auth CLI for when they expire. I'm not sure how unique our setup is, so just to clarify, I have no sense of entitlement around supporting what might be an unusual pattern. I'll comment on the issue but I'm also going to look into enabling refresh tokens on our end since that's probably the path of least resistance, especially given the transition to kr8s. Thanks, @jacobtomlinson! |
Just found out that our refresh tokens are prohibited by design for security reasons. This will prevent us from using the SDK with the operator, unfortunately. |
Don't worry I don't think you're coming across as entitled at all. We will definitely implement OIDC (and make sure it handles cases without refresh tokens) in kr8s before switching it out here. The goal is to leave things better than before. If you have any interest in contributing to kr8s and helping implement OIDC auth that would be 🔥. But it's also on my todo list. |
Ok, it turns out adding basic OIDC support to kr8s without token refreshing was very simple. kr8s-org/kr8s#126 |
Not all cluster auth providers support refresh tokens.
KubeCluster
fails to instantiate without one out of cluster when parsing the Kubernetes configuration file. It would be helpful if there was arefresh_token
flag or something to that effect in eitherKubeCluster
or one of the auth plugins it accepts. Happy to contribute.The text was updated successfully, but these errors were encountered: