Include id_token in refresh token response
Zendesk ticket (internal link): https://gitlab.zendesk.com/agent/tickets/92935
I am working on configuring Kubernetes to use GitLab as an OpenID provider.
I set the
kubectl confas specified in the Kubernetes doc (client-id,client-secretetc...): https://kubernetes.io/docs/admin/authentication/#option-1---oidc-authenticator
Then it works until the token expires and
kubectlneeds to refresh the token with the refresh-token, that's when it gives an error:token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.(from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go#L259 )
To verify this I did the following curl request towards GitLab 10.4.3:
curl -XPOST -d '{ "grant_type": "refresh_token", "refresh_token": "a52..REDACTED..9e8" }' -H "Content-Type: application/json" -H "Authorization: Basic OWN..REDACTED..GM5" https://gitlab.greenfield.elits.com/oauth/token
>I get the following response:
>```bash
{"access_token":"642..REDACTED..2b3","token_type":"bearer","refresh_token":"e68..REDACTED..717","scope":"openid","created_at":1521564486}No
id_tokenfield the response.
Digging further I read in the spec ( http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse ): "the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.", the thing is that lots of OpenID Connect provider return an
id_tokenon refresh, and therefore Kubernetes expects that as well.
Since GitLab is very well integrated with Kubernetes, it would be great to get the Successful Refresh Response to return the
id_token.
I think it would be something in: https://github.com/doorkeeper-gem/doorkeeper/blob/master/lib/doorkeeper/oauth/token_response.rb and/or https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/lib/doorkeeper/openid_connect/oauth/token_response.rb
/cc @jeremy_