Add --force-refresh
flag to get-token
to refresh ID token
#879
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a flag to
get-token
called--force-refresh
which always renews the ID token regardless of its expiration time.When
kubelogin
finds an existingCachedTokenSet
it expects to have both anIDToken
and aRefreshToken
. It would then check theIDToken
's expiration time and might skip a refresh if it's still valid.By using
--force-refresh
the check for theIDToken
's expiration time will always be skipped. This will triggerkubelogin
's normal token renewal procedure, either automatically (if a refresh token is present) or via the browser (if there's no cached token in the first place).We have a use case where we prematurely want to refresh the ID token before its regular expiration time because we know the newly requested token will have additional properties that we want. Instructing
kubelogin get-token
to forcefully refresh the token on a case-by-case basis would help us a lot: Previously we would remove the cached token file on the file system completely, but that would also remove the refresh token and requires a dreadful login via the browser (at least it pops up for a moment). By keeping the cached token file (with the refresh token) in place and using--force-refresh
instead, the process is seamless for the person using the client.This PR misses tests but functionality has been tested manually. If the approach taken here seems reasonable to be merged I would also work on appropriate tests.
This should also fix #659 /cc @Xartos