diff options
Diffstat (limited to 'vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb')
-rw-r--r-- | vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb b/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb deleted file mode 100644 index ffdfd7e2a5d..00000000000 --- a/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb +++ /dev/null @@ -1,52 +0,0 @@ -# frozen_string_literal: true - -module Kubeclient - # Uses OIDC id-tokens and refreshes them if they are stale. - class OIDCAuthProvider - class OpenIDConnectDependencyError < LoadError # rubocop:disable Lint/InheritException - end - - class << self - def token(provider_config) - begin - require 'openid_connect' - rescue LoadError => e - raise OpenIDConnectDependencyError, - 'Error requiring openid_connect gem. Kubeclient itself does not include the ' \ - 'openid_connect gem. To support auth-provider oidc, you must include it in your ' \ - "calling application. Failed with: #{e.message}" - end - - issuer_url = provider_config['idp-issuer-url'] - discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url - - if provider_config.key? 'id-token' - return provider_config['id-token'] unless expired?(provider_config['id-token'], discovery) - end - - client = OpenIDConnect::Client.new( - identifier: provider_config['client-id'], - secret: provider_config['client-secret'], - authorization_endpoint: discovery.authorization_endpoint, - token_endpoint: discovery.token_endpoint, - userinfo_endpoint: discovery.userinfo_endpoint - ) - client.refresh_token = provider_config['refresh-token'] - client.access_token!.id_token - end - - def expired?(id_token, discovery) - decoded_token = OpenIDConnect::ResponseObject::IdToken.decode( - id_token, - discovery.jwks - ) - # If token expired or expiring within 60 seconds - Time.now.to_i + 60 > decoded_token.exp.to_i - rescue JSON::JWK::Set::KidNotFound - # Token cannot be verified: the kid it was signed with is not available for discovery - # Consider it expired and fetch a new one. - true - end - end - end -end |