-
Kubernetes Submit Queue authored
Automatic merge from submit-queue oidc client plugin: reduce round trips and fix scopes requested This PR attempts to simplify the OpenID Connect client plugin to reduce round trips. The steps taken by the client are now: * If ID Token isn't expired: * Do nothing. * If ID Token is expired: * Query /.well-known discovery URL to find token_endpoint. * Use an OAuth2 client and refresh token to request new ID token. This avoids the previous pattern of always initializing a client, which would hit the /.well-known endpoint several times. The client no longer does token validation since the server already does this. As a result, this code no longer imports github.com/coreos/go-oidc, instead just using golang.org/x/oauth2 for refreshing. Overall reduction in tests because we're not verify as many things on the client side. For example, we're no longer validating the id_token signature (again, because it's being done on the server side). This has been manually tested against dex, and I hope to continue to test this over the 1.7 release cycle. cc @mlbiam @frodenas @curtisallen @jsloyer @rithujohn191 @philips @kubernetes/sig-auth-pr-reviews ```release-note NONE ``` Updates https://github.com/kubernetes/kubernetes/issues/42654 Closes https://github.com/kubernetes/kubernetes/issues/37875 Closes https://github.com/kubernetes/kubernetes/issues/37874
98128560