dex-aio - id_token not being refreshed #6
Comments
airshipbot
pushed a commit
that referenced
this issue
Sep 17, 2021
Once the id_token expires, kubectl uses the refresh token to obtain new id_token and refresh token. This process requires the attribute idp-certificate-authority under users.user.auth-provider.config in the kubeconfig file, which was missing when this file was generated. This patchset adds the attribute in values.yaml that will be used to generate the config.yaml file for the authenticator container, which will include the instructions for including the missing idp-certificate-authority and associated certificate in the kubeconfig file. Also, added the namespace for the templates as dex needs to be deployed in the same namespace as the target-cluster management resources, e.g., target-infra. Relates-to: #6 Change-Id: Ie871d1d47f160da035fdfa80016699c519d4c2dd
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The kuconfig file generated by dex includes an id_token used to identify a user as well as a refresh token.
Once the id_token expires, kubectl uses the current refresh token to obtain new id_token and refresh token.
The issue is that the id_token is not getting refreshed when it expires so user has no more access to the cluster.
The workaround is to re-generate the kubeconfig, which provides a new id_token but not ideal way of working.
Expectation is to have the id_token refreshed automatically, as long as the user is still recognized by the IdP, i.e., LDAP provider.
The text was updated successfully, but these errors were encountered: