csharp/src/KubernetesClient/Authentication/OidcTokenProvider.cs

using System;
using System.Net.Http.Headers;
using System.Threading;
using System.Threading.Tasks;
using System.IdentityModel.Tokens.Jwt;
using Microsoft.Rest;
using IdentityModel.OidcClient;
using k8s.Exceptions;

namespace k8s.Authentication
{
    public class OidcTokenProvider : ITokenProvider
    {
        private OidcClient _oidcClient;
        private string _idToken;
        private string _refreshToken;
        private DateTime _expiry;

        public OidcTokenProvider(string clientId, string clientSecret, string idpIssuerUrl, string idToken, string refreshToken)
        {
            _idToken = idToken;
            _refreshToken = refreshToken;
            _oidcClient = getClient(clientId, clientSecret, idpIssuerUrl);
            _expiry = getExpiryFromToken();
        }

        public async Task<AuthenticationHeaderValue> GetAuthenticationHeaderAsync(CancellationToken cancellationToken)
        {
            if (_idToken == null || DateTime.UtcNow.AddSeconds(30) > _expiry)
            {
                await RefreshToken().ConfigureAwait(false);
            }

            return new AuthenticationHeaderValue("Bearer", _idToken);
        }

        private DateTime getExpiryFromToken()
        {
            int expiry;
            var handler = new JwtSecurityTokenHandler();
            try
            {
                var token = handler.ReadJwtToken(_idToken);
                expiry = token.Payload.Exp ?? 0;
            }
            catch
            {
                expiry = 0;
            }

            return DateTimeOffset.FromUnixTimeSeconds(expiry).UtcDateTime;
        }

        private OidcClient getClient(string clientId, string clientSecret, string idpIssuerUrl)
        {
            OidcClientOptions options = new OidcClientOptions
            {
                ClientId = clientId,
                ClientSecret = clientSecret ?? "",
                Authority = idpIssuerUrl,
            };

            return new OidcClient(options);
        }

        private async Task RefreshToken()
        {
            try
            {
                var result = await _oidcClient.RefreshTokenAsync(_refreshToken).ConfigureAwait(false);

                if (result.IsError)
                {
                    throw new Exception(result.Error);
                }

                _idToken = result.IdentityToken;
                _refreshToken = result.RefreshToken;
                _expiry = result.AccessTokenExpiration;
            }
            catch (Exception e)
            {
                throw new KubernetesClientException($"Unable to refresh OIDC token. \n {e.Message}", e);
            }
        }
    }
}
OIDC support (#544) * add minimal oidc support * add OidcTokenProvider * add null check for accessToken * deal with missing client-secret in config * fix formatting, typos * remove commented line * trigger github actions to check for non-deterministic test behavior * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * cleanup * add CA1723 to exceptions * remove exception for CA1723, add CA1724 instead Co-authored-by: Boshi Lian <farmer1992@gmail.com> 2021-01-19 23:07:59 +01:00			`using System;`
			`using System.Net.Http.Headers;`
			`using System.Threading;`
			`using System.Threading.Tasks;`
fix: oidc (#633) * fix: oidc * revert: verbose oidc logs * fix: actually commit changes * chore: cleanup var name * chore: address pr feedback 2021-05-24 09:33:39 -07:00			`using System.IdentityModel.Tokens.Jwt;`
OIDC support (#544) * add minimal oidc support * add OidcTokenProvider * add null check for accessToken * deal with missing client-secret in config * fix formatting, typos * remove commented line * trigger github actions to check for non-deterministic test behavior * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * cleanup * add CA1723 to exceptions * remove exception for CA1723, add CA1724 instead Co-authored-by: Boshi Lian <farmer1992@gmail.com> 2021-01-19 23:07:59 +01:00			`using Microsoft.Rest;`
			`using IdentityModel.OidcClient;`
			`using k8s.Exceptions;`

			`namespace k8s.Authentication`
			`{`
			`public class OidcTokenProvider : ITokenProvider`
			`{`
			`private OidcClient _oidcClient;`
			`private string _idToken;`
			`private string _refreshToken;`
			`private DateTime _expiry;`

			`public OidcTokenProvider(string clientId, string clientSecret, string idpIssuerUrl, string idToken, string refreshToken)`
			`{`
			`_idToken = idToken;`
			`_refreshToken = refreshToken;`
			`_oidcClient = getClient(clientId, clientSecret, idpIssuerUrl);`
fix: oidc (#633) * fix: oidc * revert: verbose oidc logs * fix: actually commit changes * chore: cleanup var name * chore: address pr feedback 2021-05-24 09:33:39 -07:00			`_expiry = getExpiryFromToken();`
OIDC support (#544) * add minimal oidc support * add OidcTokenProvider * add null check for accessToken * deal with missing client-secret in config * fix formatting, typos * remove commented line * trigger github actions to check for non-deterministic test behavior * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * cleanup * add CA1723 to exceptions * remove exception for CA1723, add CA1724 instead Co-authored-by: Boshi Lian <farmer1992@gmail.com> 2021-01-19 23:07:59 +01:00			`}`

			`public async Task<AuthenticationHeaderValue> GetAuthenticationHeaderAsync(CancellationToken cancellationToken)`
			`{`
fix: oidc (#633) * fix: oidc * revert: verbose oidc logs * fix: actually commit changes * chore: cleanup var name * chore: address pr feedback 2021-05-24 09:33:39 -07:00			`if (_idToken == null \|\| DateTime.UtcNow.AddSeconds(30) > _expiry)`
OIDC support (#544) * add minimal oidc support * add OidcTokenProvider * add null check for accessToken * deal with missing client-secret in config * fix formatting, typos * remove commented line * trigger github actions to check for non-deterministic test behavior * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * cleanup * add CA1723 to exceptions * remove exception for CA1723, add CA1724 instead Co-authored-by: Boshi Lian <farmer1992@gmail.com> 2021-01-19 23:07:59 +01:00			`{`
			`await RefreshToken().ConfigureAwait(false);`
			`}`

fix: oidc (#633) * fix: oidc * revert: verbose oidc logs * fix: actually commit changes * chore: cleanup var name * chore: address pr feedback 2021-05-24 09:33:39 -07:00			`return new AuthenticationHeaderValue("Bearer", _idToken);`
			`}`

			`private DateTime getExpiryFromToken()`
			`{`
			`int expiry;`
			`var handler = new JwtSecurityTokenHandler();`
			`try`
			`{`
			`var token = handler.ReadJwtToken(_idToken);`
			`expiry = token.Payload.Exp ?? 0;`
			`}`
			`catch`
			`{`
			`expiry = 0;`
			`}`

			`return DateTimeOffset.FromUnixTimeSeconds(expiry).UtcDateTime;`
OIDC support (#544) * add minimal oidc support * add OidcTokenProvider * add null check for accessToken * deal with missing client-secret in config * fix formatting, typos * remove commented line * trigger github actions to check for non-deterministic test behavior * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * cleanup * add CA1723 to exceptions * remove exception for CA1723, add CA1724 instead Co-authored-by: Boshi Lian <farmer1992@gmail.com> 2021-01-19 23:07:59 +01:00			`}`

			`private OidcClient getClient(string clientId, string clientSecret, string idpIssuerUrl)`
			`{`
			`OidcClientOptions options = new OidcClientOptions`
			`{`
			`ClientId = clientId,`
			`ClientSecret = clientSecret ?? "",`
			`Authority = idpIssuerUrl,`
			`};`

			`return new OidcClient(options);`
			`}`

			`private async Task RefreshToken()`
			`{`
			`try`
			`{`
fix: oidc (#633) * fix: oidc * revert: verbose oidc logs * fix: actually commit changes * chore: cleanup var name * chore: address pr feedback 2021-05-24 09:33:39 -07:00			`var result = await _oidcClient.RefreshTokenAsync(_refreshToken).ConfigureAwait(false);`

			`if (result.IsError)`
			`{`
			`throw new Exception(result.Error);`
			`}`

OIDC support (#544) * add minimal oidc support * add OidcTokenProvider * add null check for accessToken * deal with missing client-secret in config * fix formatting, typos * remove commented line * trigger github actions to check for non-deterministic test behavior * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * Update src/KubernetesClient/Authentication/OidcTokenProvider.cs Co-authored-by: Boshi Lian <farmer1992@gmail.com> * cleanup * add CA1723 to exceptions * remove exception for CA1723, add CA1724 instead Co-authored-by: Boshi Lian <farmer1992@gmail.com> 2021-01-19 23:07:59 +01:00			`_idToken = result.IdentityToken;`
			`_refreshToken = result.RefreshToken;`
			`_expiry = result.AccessTokenExpiration;`
			`}`
			`catch (Exception e)`
			`{`
			`throw new KubernetesClientException($"Unable to refresh OIDC token. \n {e.Message}", e);`
			`}`
			`}`
			`}`
			`}`