Commit a8914b73 authored by Eric Chiang's avatar Eric Chiang

oidc client auth: better error when refresh response is missing id_token

parent 086bda60
...@@ -258,7 +258,11 @@ func (p *oidcAuthProvider) idToken() (string, error) { ...@@ -258,7 +258,11 @@ func (p *oidcAuthProvider) idToken() (string, error) {
idToken, ok := token.Extra("id_token").(string) idToken, ok := token.Extra("id_token").(string)
if !ok { if !ok {
return "", fmt.Errorf("token response did not contain an id_token") // id_token isn't a required part of a refresh token response, so some
// providers (Okta) don't return this value.
//
// See https://github.com/kubernetes/kubernetes/issues/36847
return "", fmt.Errorf("token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.")
} }
// Create a new config to persist. // Create a new config to persist.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment