get-token: add --force-refresh flag to refresh ID token (#879)

pkg/cmd/get_token.go

@@ -21,6 +21,7 @@ type getTokenOptions struct {
 	TokenCacheDir         string
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
+	ForceRefresh          bool
 }
 
 func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
@@ -30,6 +31,7 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
 	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
+	f.BoolVar(&o.ForceRefresh, "force-refresh", false, "If set, refresh the ID token regardless of its expiration time")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
@@ -82,6 +84,7 @@ func (cmd *GetToken) New() *cobra.Command {
 				TokenCacheDir:   o.TokenCacheDir,
 				GrantOptionSet:  grantOptionSet,
 				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
+				ForceRefresh:    o.ForceRefresh,
 			}
 			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
 				return fmt.Errorf("get-token: %w", err)

pkg/usecases/authentication/authentication.go

@@ -35,6 +35,7 @@ type Input struct {
 	GrantOptionSet  GrantOptionSet
 	CachedTokenSet  *oidc.TokenSet // optional
 	TLSClientConfig tlsclientconfig.Config
+	ForceRefresh    bool
 }
 
 type GrantOptionSet struct {
@@ -74,22 +75,26 @@ type Authentication struct {
 
 func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
 	if in.CachedTokenSet != nil {
-		u.Logger.V(1).Infof("checking expiration of the existing token")
-		// Skip verification of the token to reduce time of a discovery request.
-		// Here it trusts the signature and claims and checks only expiration,
-		// because the token has been verified before caching.
-		claims, err := in.CachedTokenSet.DecodeWithoutVerify()
-		if err != nil {
-			return nil, fmt.Errorf("invalid token cache (you may need to remove): %w", err)
-		}
-		if !claims.IsExpired(u.Clock) {
-			u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
-			return &Output{
-				AlreadyHasValidIDToken: true,
-				TokenSet:               *in.CachedTokenSet,
-			}, nil
+		if in.ForceRefresh {
+			u.Logger.V(1).Infof("forcing refresh of the existing token")
+		} else {
+			u.Logger.V(1).Infof("checking expiration of the existing token")
+			// Skip verification of the token to reduce time of a discovery request.
+			// Here it trusts the signature and claims and checks only expiration,
+			// because the token has been verified before caching.
+			claims, err := in.CachedTokenSet.DecodeWithoutVerify()
+			if err != nil {
+				return nil, fmt.Errorf("invalid token cache (you may need to remove): %w", err)
+			}
+			if !claims.IsExpired(u.Clock) {
+				u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
+				return &Output{
+					AlreadyHasValidIDToken: true,
+					TokenSet:               *in.CachedTokenSet,
+				}, nil
+			}
+			u.Logger.V(1).Infof("you have an expired token at %s", claims.Expiry)
 		}
-		u.Logger.V(1).Infof("you have an expired token at %s", claims.Expiry)
 	}
 
 	u.Logger.V(1).Infof("initializing an OpenID Connect client")

pkg/usecases/credentialplugin/get_token.go

@@ -37,6 +37,7 @@ type Input struct {
 	TokenCacheDir   string
 	GrantOptionSet  authentication.GrantOptionSet
 	TLSClientConfig tlsclientconfig.Config
+	ForceRefresh    bool
 }
 
 type GetToken struct {
@@ -90,6 +91,7 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 		GrantOptionSet:  in.GrantOptionSet,
 		CachedTokenSet:  cachedTokenSet,
 		TLSClientConfig: in.TLSClientConfig,
+		ForceRefresh:    in.ForceRefresh,
 	}
 	authenticationOutput, err := u.Authentication.Do(ctx, authenticationInput)
 	if err != nil {