A little ways back, support was added to the APIServer for authenticating with JWTs obtained from OpenID Identity Providers ( #10957 ). However, these tokens tend to be short-lived, so we'd like to add support for refresh tokens.

The obvious place for this at first glance is kubectl, but that presents a number of problems: a refresh token request requires a client ID and secret; surely we don't want to distribute the API Server client secret to every user who want to use the command line?

So should the APIServer instead be able to consume Refresh tokens? If that's the case, it would seem that it would need to have an endpoint where someone can go to obtain one in the first place (eg., they navigate to some URL, do the OAuth2 dance with their OIDC IDP, end up back at the APIServer on a page that displays the refresh token, which they can then embed in their kubectl config file. Does this approach make more sense?

Thanks!

Bobby
cc: @ericchiang, @bcwaldon, @philips @yifan-gu