OAuth2: Ability to specify "audience" parameter to token refresh

[jchv]

1. What version of Go are you using (go version)?

   > go version
   go version go1.9rc1 windows/amd64
   

2. What operating system and processor architecture are you using?

   Windows 10, AMD64

3. What did you do?

   This is related to kubernetes/kubernetes#56063. When refreshing a Google OIDC token, the audience apparently gets lost if it isn't explicitly stated.

4. What did you expect to see?

   When a token refreshes, I expect the aud to stay the same, or to be able to specify an audience via the audience POST parameter.

5. What did you see instead?

   When using Google OIDC and a token refreshes, the aud resets, and no such API exists.

---

I'm mostly posting this to get a temperature reading on how people feel about introducing the ability to inject this or perhaps arbitrary parameters into the refresh post. It seems like there's little alternative :(

It looks like the most convenient place to inject such code would be here:

	tk, err := retrieveToken(tf.ctx, tf.conf, url.Values{
		"grant_type":    {"refresh_token"},
		"refresh_token": {tf.refreshToken},
	})

This seems related to #234, which proposes a related measure that I'd also like to have.

I apologize if this is already possible and I missed it, or worse, it's not actually an issue at all and I'm just missing something, but it sure seems like a problem to me.

[sahlone]

Can the ticket be assigned to me? I have a nice experience with OAuth with scala.

[jchv]

Well one issue that needs to be addressed either way is whether or not it should be done at all. The Google OIDC implementation is decidedly going against spec here with this, the audience should never change during a refresh.

[sahlone]

Audience claim is optional and is totally left to the implementer . SO if one wants it they should not be limited.