feat(armadactl): add OIDC refresh token caching

Add token caching for OIDC auth to avoid repeated browser authentication.
The refresh token is securely stored in the system keyring (macOS Keychain,
Windows Credential Manager, Linux Secret Service).

To enable, add `cacheRefreshToken: true` to your context in ~/.armadactl.yaml
and include `offline_access` in your scopes.

Note: armadactl must be built with CGO_ENABLED=1 on macOS for keychain access.

Signed-off-by: Dejan Zele Pejchev <[email protected]>

Author: dejanzele

.github/workflows/release.yml

@@ -131,6 +131,7 @@ jobs:
           DOCKER_REPO: "gresearch"
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           DOCKER_BUILDX_BUILDER: "${{ steps.buildx.outputs.name }}"
+
   invoke-chart-push:
     name: Invoke Chart push
     needs: release

.goreleaser.yml

@@ -157,7 +157,7 @@ archives:
       - README.md
       - MAINTAINERS.md
 
-# macOS Universal Binaries-*
+# macOS Universal Binaries
 universal_binaries:
   - replace: true
     id: armadactl

go.mod

@@ -76,6 +76,7 @@ require (
 	github.com/rs/zerolog v1.33.0
 	github.com/segmentio/fasthash v1.0.3
 	github.com/xitongsys/parquet-go v1.6.2
+	github.com/zalando/go-keyring v0.2.6
 	go.uber.org/atomic v1.11.0
 	go.uber.org/mock v0.5.0
 	golang.org/x/term v0.36.0
@@ -87,6 +88,7 @@ require (
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/99designs/keyring v1.2.1 // indirect
@@ -113,7 +115,7 @@ require (
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
-	github.com/danieljoos/wincred v1.1.2 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.0 // indirect
@@ -148,6 +150,7 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/googleapis v0.0.0-20180223154316-0cd9801be74a // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect

go.sum

@@ -1,3 +1,5 @@
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -141,8 +143,8 @@ github.com/cpuguy83/dockercfg v0.3.1/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHf
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
 github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
-github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
-github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -274,6 +276,8 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/googleapis v0.0.0-20180223154316-0cd9801be74a h1:dR8+Q0uO5S2ZBcs2IH6VBKYwSxPo2vYCYq0ot0mu7xA=
 github.com/gogo/googleapis v0.0.0-20180223154316-0cd9801be74a/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -666,6 +670,8 @@ github.com/yuin/goldmark-emoji v1.0.3 h1:aLRkLHOuBR2czCY4R8olwMjID+tENfhyFDMCRhb
 github.com/yuin/goldmark-emoji v1.0.3/go.mod h1:tTkZEbwu5wkPmgTcitqddVxY9osFZiavD+r4AzQrh1U=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
 github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 gitlab.com/digitalxero/go-conventional-commit v1.0.7 h1:8/dO6WWG+98PMhlZowt/YjuiKhqhGlOCwlIV8SqqGh8=
 gitlab.com/digitalxero/go-conventional-commit v1.0.7/go.mod h1:05Xc2BFsSyC5tKhK0y+P3bs0AwUtNuTp+mTpbCU/DZ0=
 go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss=
@@ -803,7 +809,6 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

pkg/client/auth/oidc/cache.go

@@ -0,0 +1,179 @@
+package oidc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/zalando/go-keyring"
+	"golang.org/x/oauth2"
+
+	log "github.com/armadaproject/armada/internal/common/logging"
+)
+
+const (
+	keyringServiceName = "armada-oidc"
+)
+
+var errCacheNotInitialized = errors.New("token cache not initialized")
+
+type tokenCache struct {
+	providerUrl string
+	clientId    string
+}
+
+type cachedToken struct {
+	RefreshToken string `json:"refresh_token"`
+}
+
+func newTokenCache(providerUrl, clientId string) (*tokenCache, error) {
+	return &tokenCache{
+		providerUrl: providerUrl,
+		clientId:    clientId,
+	}, nil
+}
+
+func (tc *tokenCache) getKey() string {
+	return fmt.Sprintf("%s:%s", tc.providerUrl, tc.clientId)
+}
+
+func (tc *tokenCache) getCachedRefreshToken() (string, error) {
+	if tc == nil {
+		return "", errCacheNotInitialized
+	}
+
+	key := tc.getKey()
+	data, err := keyring.Get(keyringServiceName, key)
+	if err != nil {
+		if errors.Is(err, keyring.ErrNotFound) {
+			return "", nil
+		}
+		return "", fmt.Errorf("failed to get token from keyring: %w", err)
+	}
+
+	var cached cachedToken
+	if err := json.Unmarshal([]byte(data), &cached); err != nil {
+		return "", fmt.Errorf("failed to unmarshal cached token: %w", err)
+	}
+
+	return cached.RefreshToken, nil
+}
+
+func (tc *tokenCache) saveRefreshToken(refreshToken string) error {
+	if tc == nil {
+		return errCacheNotInitialized
+	}
+
+	if refreshToken == "" {
+		return errors.New("refresh token is empty")
+	}
+
+	key := tc.getKey()
+	cached := cachedToken{
+		RefreshToken: refreshToken,
+	}
+
+	data, err := json.Marshal(cached)
+	if err != nil {
+		return fmt.Errorf("failed to marshal token: %w", err)
+	}
+
+	if err := keyring.Set(keyringServiceName, key, string(data)); err != nil {
+		return fmt.Errorf("failed to save refresh token to keyring: %w", err)
+	}
+
+	return nil
+}
+
+func (tc *tokenCache) deleteToken() error {
+	if tc == nil {
+		return errCacheNotInitialized
+	}
+
+	if err := keyring.Delete(keyringServiceName, tc.getKey()); err != nil && !errors.Is(err, keyring.ErrNotFound) {
+		return fmt.Errorf("failed to delete token from keyring: %w", err)
+	}
+	return nil
+}
+
+// refreshToken exchanges a refresh token for a new access token.
+// If the provider returns a new refresh token (rotation), it updates the cache.
+func refreshToken(ctx context.Context, config *oauth2.Config, refreshToken string, cache *tokenCache) (*oauth2.Token, error) {
+	if refreshToken == "" {
+		return nil, errors.New("no refresh token available")
+	}
+
+	// We construct a token with an expiry in the past to force oauth2.TokenSource
+	// to perform a refresh. The oauth2 library only refreshes when the token is
+	// expired; by setting Expiry to 1 hour ago, we guarantee the subsequent
+	// tokenSource.Token() call will exchange our refresh token for a new access token.
+	oldToken := &oauth2.Token{
+		RefreshToken: refreshToken,
+		TokenType:    "Bearer",
+		Expiry:       time.Now().Add(-1 * time.Hour),
+	}
+
+	tokenSource := config.TokenSource(ctx, oldToken)
+
+	newToken, err := tokenSource.Token()
+	if err != nil {
+		return nil, fmt.Errorf("failed to refresh token: %w", err)
+	}
+
+	if newToken.RefreshToken != "" {
+		if cache != nil {
+			if saveErr := cache.saveRefreshToken(newToken.RefreshToken); saveErr != nil {
+				log.WithError(saveErr).Error("Failed to save refreshed token to cache")
+			}
+		}
+	} else {
+		newToken.RefreshToken = refreshToken
+	}
+
+	return newToken, nil
+}
+
+// tryGetCachedToken attempts to retrieve and refresh a cached token.
+// Returns (nil, cache) if no valid cached token exists but caching is available.
+func tryGetCachedToken(
+	ctx context.Context,
+	config *oauth2.Config,
+	providerUrl string,
+	clientId string,
+	cacheEnabled bool,
+) (*oauth2.Token, *tokenCache) {
+	if !cacheEnabled {
+		return nil, nil
+	}
+
+	cache, err := newTokenCache(providerUrl, clientId)
+	if err != nil {
+		log.Warn("Token cache unavailable, proceeding without caching")
+		return nil, nil
+	}
+
+	cachedRefreshToken, err := cache.getCachedRefreshToken()
+	if err != nil || cachedRefreshToken == "" {
+		return nil, cache
+	}
+
+	newToken, err := refreshToken(ctx, config, cachedRefreshToken, cache)
+	if err != nil {
+		_ = cache.deleteToken()
+		return nil, cache
+	}
+
+	return newToken, cache
+}
+
+func saveTokenToCache(token *oauth2.Token, cache *tokenCache) {
+	if cache == nil || token == nil || token.RefreshToken == "" {
+		return
+	}
+
+	if err := cache.saveRefreshToken(token.RefreshToken); err != nil {
+		log.WithError(err).Error("Failed to save token to cache")
+	}
+}

pkg/client/auth/oidc/device.go

@@ -22,7 +22,7 @@ type DeviceDetails struct {
 	Scopes      []string
 }
 
-func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
+func AuthenticateDevice(config DeviceDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
 	httpClient := http.DefaultClient
@@ -63,6 +63,12 @@ func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
 		Scopes:   scopes,
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache := tryGetCachedToken(ctx, &oauth, config.ProviderUrl, config.ClientId, cacheToken)
+	if token != nil {
+		return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
+	}
+
 	deviceFlowResponse, err := requestDeviceAuthorization(ctx, httpClient, claims.DeviceAuthorizationEndpoint, config.ClientId, scopes)
 	if err != nil {
 		return nil, err
@@ -97,6 +103,7 @@ func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
 			token, err := requestToken(ctx, httpClient, oauth.Endpoint.TokenURL, config.ClientId, deviceFlowResponse.DeviceCode)
 			if err == nil {
 				fmt.Printf("\nAuthentication successful!\n\n")
+				saveTokenToCache(token, cache)
 				return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
 			}
 

pkg/client/auth/oidc/password.go

@@ -15,7 +15,7 @@ type ClientPasswordDetails struct {
 	Password    string
 }
 
-func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials, error) {
+func AuthenticateWithPassword(config ClientPasswordDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
 	provider, err := openId.NewProvider(ctx, config.ProviderUrl)
@@ -34,10 +34,19 @@ func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials,
 			return authConfig.PasswordCredentialsToken(ctx, config.Username, config.Password)
 		},
 	}
+
+	// Try to use cached refresh token if enabled
+	token, cache := tryGetCachedToken(ctx, authConfig, config.ProviderUrl, config.ClientId, cacheToken)
+	if token != nil {
+		return &TokenCredentials{oauth2.ReuseTokenSource(token, source)}, nil
+	}
+
 	t, err := source.Token()
 	if err != nil {
 		return nil, err
 	}
+
+	saveTokenToCache(t, cache)
 	cachedSource := oauth2.ReuseTokenSource(t, source)
 	return &TokenCredentials{cachedSource}, nil
 }

pkg/client/auth/oidc/pkce.go

@@ -25,18 +25,16 @@ type PKCEDetails struct {
 	Scopes      []string
 }
 
-func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
+func AuthenticatePkce(config PKCEDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
-	result := make(chan *oauth2.Token)
-	errorResult := make(chan error)
-
 	provider, err := openId.NewProvider(ctx, config.ProviderUrl)
 	if err != nil {
 		return nil, err
 	}
 
-	localUrl := "localhost:" + strconv.Itoa(int(config.LocalPort))
+	portStr := strconv.Itoa(int(config.LocalPort))
+	localUrl := "localhost:" + portStr
 
 	oauth := oauth2.Config{
 		ClientID:    config.ClientId,
@@ -45,6 +43,16 @@ func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
 		Scopes:      append(config.Scopes, openId.ScopeOpenID),
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache := tryGetCachedToken(ctx, &oauth, config.ProviderUrl, config.ClientId, cacheToken)
+	if token != nil {
+		return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
+	}
+
+	// Perform interactive authentication if no valid cached token
+	result := make(chan *oauth2.Token)
+	errorResult := make(chan error)
+
 	state := randomStringBase64() // xss protection
 	challenge := randomStringBase64()
 	challengeSum := sha256.Sum256([]byte(challenge))
@@ -104,18 +112,18 @@ func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
 	}()
 
 	cmd, err := openBrowser("http://" + localUrl)
+	if err != nil {
+		return nil, err
+	}
 	defer func() {
 		if err := cmd.Process.Kill(); err != nil {
 			log.WithStacktrace(err).Error("unable to kill process")
 		}
 	}()
 
-	if err != nil {
-		return nil, err
-	}
-
 	select {
 	case t := <-result:
+		saveTokenToCache(t, cache)
 		return &TokenCredentials{oauth.TokenSource(ctx, t)}, nil
 	case e := <-errorResult:
 		return nil, e