int128/kubelogin

Token lifetime doesn't match settings in Okta Auth Server

joemiao-exos opened this issue · 1 comments

joemiao-exos commented

Describe the question

A clear and concise description of what the issue is.

I'm setting up a flow that grants user EKS access via Okta group and followed this blog: https://developer.okta.com/blog/2021/10/08/secure-access-to-aws-eks.

Issues:

  1. The id_token expiration time doesn't match what I configured in Okta Authorization Server and seems to be configured as 1 hour in kubelogin by default:
$ kubectl get nodes --user=oidc
...
I0117 08:53:51.638352   28796 browser.go:35] starting the authentication code flow using the browser
I0117 08:53:51.638952   28796 browser.go:104] opening http://localhost:8000 in the browser
I0117 08:53:51.639021   28796 server.go:36] oauth2cli: starting a server at 127.0.0.1:8000
...
I0117 08:53:52.065539   28796 server.go:66] oauth2cli: shutting down the server
I0117 08:53:52.066087   28796 server.go:47] oauth2cli: stopped the server
I0117 08:53:52.067368   28796 oauth2cli.go:156] oauth2cli: exchanging the code and token
...
I0117 08:53:52.415457   28796 get_token.go:107] you got a valid token until 2023-01-17 09:53:52 -0500 EST
...

current timestamp:
$ date
Tue Jan 17 08:54:14 EST 2023

As you can see the expiration time is 2023-01-17 09:53:52 -0500 EST which is roughly 1 hour from the current time.

However, in Okta, I have the following token lifetime values configured:
Screen Shot 2023-01-17 at 9 19 15 AM

Why doesn't kubelogin get a token with the correct expiration/lifetime according to Okta? Is this a bug?

  1. I also want to verify the lifetime of Refresh Token. How can I tell kubelogin to display the expiration time of Refresh Token in log as well? And where is Refresh Token cached locally? Is it supposed to also be cached in .kube/cache/oidc-login/ ?

The most relevant code I can find is:

kubelogin/pkg/kubeconfig/types.go

Line 22 in 1b8e375

RefreshToken string // (optional) refresh-token

To reproduce

A console log or steps to reproduce the issue.

Your environment

  • OS: macOS
  • kubelogin version: stable v1.25.3
  • kubectl version: Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"archive", BuildDate:"2022-03-17T05:56:22Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"darwin/amd64"}
  • OpenID Connect provider: Okta
tl-alex-nicot commented

did you manage to get this fixed, my understanding is that its using an identity token which is fixed by okta at 60 minutes unless you use inline hooks not the access token