mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2025-12-23 06:15:47 +00:00
dce9409ccc
In the RFC8693 token exchange, the CLI sends your access token and receives in exchange a new cluster-scoped ID token. Fix a bug in the CLI. Whenever the "pinniped login oidc" command was planning to perform the RFC8693 token exchange, it failed to check if the cached access token was still valid before performing the exchange, which sends the access token. It instead checked if the cached ID token was still valid, but that it not relevant in this situation because the ID token is not going to be used for anything (instead the new ID token returned by the RFC8693 token exchange will be used for auth). This bug doesn't actually matter today, because the Supervisor-issued access and ID tokens always both have the same 2-minute lifetimes. However, future enhancements may cause them to have different lifetimes in certain circumstances. Fixing this CLI bug now to prepare for those potential future enhancements.