feat(armadactl): add OIDC refresh token caching

Add token caching for OIDC auth to avoid repeated browser authentication.
The refresh token is securely stored in the system keyring (macOS Keychain,
Windows Credential Manager, Linux Secret Service).

To enable, add `cacheRefreshToken: true` to your context in ~/.armadactl.yaml
and include `offline_access` in your scopes.

Note: armadactl must be built with CGO_ENABLED=1 on macOS for keychain access.

Signed-off-by: Dejan Zele Pejchev <[email protected]>

Author: dejanzele

.goreleaser.yml

@@ -138,6 +138,10 @@ builds:
     goarch:
       - amd64
       - arm64
+    overrides:
+      - goos: darwin
+        env:
+          - CGO_ENABLED=1
 
 source:
   enabled: true

go.mod

@@ -52,6 +52,7 @@ require (
 )
 
 require (
+	github.com/99designs/keyring v1.2.1
 	github.com/IBM/pgxpoolprometheus v1.1.1
 	github.com/Masterminds/semver/v3 v3.3.1
 	github.com/benbjohnson/immutable v0.4.3
@@ -89,7 +90,6 @@ require (
 require (
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
-	github.com/99designs/keyring v1.2.1 // indirect
 	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/AthenZ/athenz v1.10.39 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect

pkg/client/auth/oidc/cache.go

@@ -0,0 +1,199 @@
+package oidc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/99designs/keyring"
+	"golang.org/x/oauth2"
+
+	log "github.com/armadaproject/armada/internal/common/logging"
+)
+
+const (
+	keyringServiceName = "armada-oidc"
+)
+
+var errCacheNotInitialized = errors.New("token cache not initialized")
+
+type tokenCache struct {
+	ring        keyring.Keyring
+	providerUrl string
+	clientId    string
+}
+
+type cachedToken struct {
+	RefreshToken string `json:"refresh_token"`
+}
+
+func newTokenCache(providerUrl, clientId string) (*tokenCache, error) {
+	ring, err := keyring.Open(keyring.Config{
+		ServiceName:                    keyringServiceName,
+		AllowedBackends:                keyring.AvailableBackends(),
+		KeychainTrustApplication:       true,
+		KeychainSynchronizable:         false,
+		KeychainAccessibleWhenUnlocked: true,
+		KWalletAppID:                   "armada",
+		KWalletFolder:                  "armada",
+		LibSecretCollectionName:        "armada",
+		WinCredPrefix:                  "armada",
+	})
+	if err != nil {
+		return nil, fmt.Errorf("no secure keyring backend available: %w", err)
+	}
+
+	return &tokenCache{
+		ring:        ring,
+		providerUrl: providerUrl,
+		clientId:    clientId,
+	}, nil
+}
+
+func (tc *tokenCache) getKey() string {
+	return fmt.Sprintf("%s:%s", tc.providerUrl, tc.clientId)
+}
+
+func (tc *tokenCache) getCachedRefreshToken() (string, error) {
+	if tc == nil || tc.ring == nil {
+		return "", errCacheNotInitialized
+	}
+
+	key := tc.getKey()
+	item, err := tc.ring.Get(key)
+	if err != nil {
+		if errors.Is(err, keyring.ErrKeyNotFound) {
+			return "", nil
+		}
+		return "", fmt.Errorf("failed to get token from keyring: %w", err)
+	}
+
+	var cached cachedToken
+	if err := json.Unmarshal(item.Data, &cached); err != nil {
+		return "", fmt.Errorf("failed to unmarshal cached token: %w", err)
+	}
+
+	return cached.RefreshToken, nil
+}
+
+func (tc *tokenCache) saveRefreshToken(refreshToken string) error {
+	if tc == nil || tc.ring == nil {
+		return errCacheNotInitialized
+	}
+
+	if refreshToken == "" {
+		return errors.New("refresh token is empty")
+	}
+
+	key := tc.getKey()
+	cached := cachedToken{
+		RefreshToken: refreshToken,
+	}
+
+	data, err := json.Marshal(cached)
+	if err != nil {
+		return fmt.Errorf("failed to marshal token: %w", err)
+	}
+
+	item := keyring.Item{
+		Key:         key,
+		Data:        data,
+		Label:       fmt.Sprintf("Armada OIDC Refresh Token (%s)", tc.clientId),
+		Description: fmt.Sprintf("OAuth2 refresh token for %s", tc.providerUrl),
+	}
+
+	if err := tc.ring.Set(item); err != nil {
+		return fmt.Errorf("failed to save refresh token to keyring: %w", err)
+	}
+
+	return nil
+}
+
+func (tc *tokenCache) deleteToken() error {
+	if tc == nil || tc.ring == nil {
+		return errCacheNotInitialized
+	}
+
+	if err := tc.ring.Remove(tc.getKey()); err != nil && !errors.Is(err, keyring.ErrKeyNotFound) {
+		return fmt.Errorf("failed to delete token from keyring: %w", err)
+	}
+	return nil
+}
+
+// refreshToken exchanges a refresh token for a new access token.
+// If the provider returns a new refresh token (rotation), it updates the cache.
+func refreshToken(ctx context.Context, config *oauth2.Config, refreshToken string, cache *tokenCache) (*oauth2.Token, error) {
+	if refreshToken == "" {
+		return nil, errors.New("no refresh token available")
+	}
+
+	oldToken := &oauth2.Token{
+		RefreshToken: refreshToken,
+		TokenType:    "Bearer",
+		Expiry:       time.Now().Add(-1 * time.Hour),
+	}
+
+	tokenSource := config.TokenSource(ctx, oldToken)
+
+	newToken, err := tokenSource.Token()
+	if err != nil {
+		return nil, fmt.Errorf("failed to refresh token: %w", err)
+	}
+
+	if newToken.RefreshToken != "" {
+		if cache != nil {
+			if saveErr := cache.saveRefreshToken(newToken.RefreshToken); saveErr != nil {
+				log.WithError(saveErr).Error("Failed to save refreshed token to cache")
+			}
+		}
+	} else {
+		newToken.RefreshToken = refreshToken
+	}
+
+	return newToken, nil
+}
+
+// tryGetCachedToken attempts to retrieve and refresh a cached token.
+// Returns (nil, cache) if no valid cached token exists but caching is available.
+func tryGetCachedToken(
+	ctx context.Context,
+	config *oauth2.Config,
+	providerUrl string,
+	clientId string,
+	cacheEnabled bool,
+) (*oauth2.Token, *tokenCache) {
+	if !cacheEnabled {
+		return nil, nil
+	}
+
+	cache, err := newTokenCache(providerUrl, clientId)
+	if err != nil {
+		log.Warn("Token cache unavailable, proceeding without caching")
+		return nil, nil
+	}
+
+	cachedRefreshToken, err := cache.getCachedRefreshToken()
+	if err != nil || cachedRefreshToken == "" {
+		return nil, cache
+	}
+
+	newToken, err := refreshToken(ctx, config, cachedRefreshToken, cache)
+	if err != nil {
+		_ = cache.deleteToken()
+		return nil, cache
+	}
+
+	return newToken, cache
+}
+
+func saveTokenToCache(token *oauth2.Token, cache *tokenCache) {
+	if cache == nil || token == nil || token.RefreshToken == "" {
+		return
+	}
+
+	if err := cache.saveRefreshToken(token.RefreshToken); err != nil {
+		log.WithError(err).Error("Failed to save token to cache")
+	}
+}

pkg/client/auth/oidc/device.go

@@ -22,7 +22,7 @@ type DeviceDetails struct {
 	Scopes      []string
 }
 
-func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
+func AuthenticateDevice(config DeviceDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
 	httpClient := http.DefaultClient
@@ -63,6 +63,12 @@ func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
 		Scopes:   scopes,
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache := tryGetCachedToken(ctx, &oauth, config.ProviderUrl, config.ClientId, cacheToken)
+	if token != nil {
+		return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
+	}
+
 	deviceFlowResponse, err := requestDeviceAuthorization(ctx, httpClient, claims.DeviceAuthorizationEndpoint, config.ClientId, scopes)
 	if err != nil {
 		return nil, err
@@ -97,6 +103,7 @@ func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
 			token, err := requestToken(ctx, httpClient, oauth.Endpoint.TokenURL, config.ClientId, deviceFlowResponse.DeviceCode)
 			if err == nil {
 				fmt.Printf("\nAuthentication successful!\n\n")
+				saveTokenToCache(token, cache)
 				return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
 			}
 

pkg/client/auth/oidc/password.go

@@ -15,7 +15,7 @@ type ClientPasswordDetails struct {
 	Password    string
 }
 
-func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials, error) {
+func AuthenticateWithPassword(config ClientPasswordDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
 	provider, err := openId.NewProvider(ctx, config.ProviderUrl)
@@ -34,10 +34,19 @@ func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials,
 			return authConfig.PasswordCredentialsToken(ctx, config.Username, config.Password)
 		},
 	}
+
+	// Try to use cached refresh token if enabled
+	token, cache := tryGetCachedToken(ctx, authConfig, config.ProviderUrl, config.ClientId, cacheToken)
+	if token != nil {
+		return &TokenCredentials{oauth2.ReuseTokenSource(token, source)}, nil
+	}
+
 	t, err := source.Token()
 	if err != nil {
 		return nil, err
 	}
+
+	saveTokenToCache(t, cache)
 	cachedSource := oauth2.ReuseTokenSource(t, source)
 	return &TokenCredentials{cachedSource}, nil
 }

pkg/client/auth/oidc/pkce.go

@@ -25,18 +25,16 @@ type PKCEDetails struct {
 	Scopes      []string
 }
 
-func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
+func AuthenticatePkce(config PKCEDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
-	result := make(chan *oauth2.Token)
-	errorResult := make(chan error)
-
 	provider, err := openId.NewProvider(ctx, config.ProviderUrl)
 	if err != nil {
 		return nil, err
 	}
 
-	localUrl := "localhost:" + strconv.Itoa(int(config.LocalPort))
+	portStr := strconv.Itoa(int(config.LocalPort))
+	localUrl := "localhost:" + portStr
 
 	oauth := oauth2.Config{
 		ClientID:    config.ClientId,
@@ -45,6 +43,16 @@ func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
 		Scopes:      append(config.Scopes, openId.ScopeOpenID),
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache := tryGetCachedToken(ctx, &oauth, config.ProviderUrl, config.ClientId, cacheToken)
+	if token != nil {
+		return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
+	}
+
+	// Perform interactive authentication if no valid cached token
+	result := make(chan *oauth2.Token)
+	errorResult := make(chan error)
+
 	state := randomStringBase64() // xss protection
 	challenge := randomStringBase64()
 	challengeSum := sha256.Sum256([]byte(challenge))
@@ -104,18 +112,18 @@ func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
 	}()
 
 	cmd, err := openBrowser("http://" + localUrl)
+	if err != nil {
+		return nil, err
+	}
 	defer func() {
 		if err := cmd.Process.Kill(); err != nil {
 			log.WithStacktrace(err).Error("unable to kill process")
 		}
 	}()
 
-	if err != nil {
-		return nil, err
-	}
-
 	select {
 	case t := <-result:
+		saveTokenToCache(t, cache)
 		return &TokenCredentials{oauth.TokenSource(ctx, t)}, nil
 	case e := <-errorResult:
 		return nil, e

pkg/client/connection.go

@@ -45,6 +45,7 @@ type ApiConnectionDetails struct {
 	OpenIdKubernetesAuth        oidc.KubernetesDetails
 	ForceNoTls                  bool
 	ExecAuth                    exec.CommandDetails
+	CacheRefreshToken           bool
 }
 
 type ConnectionDetails func() (*ApiConnectionDetails, error)
@@ -101,11 +102,11 @@ func perRpcCredentials(config *ApiConnectionDetails) (credentials.PerRPCCredenti
 	} else if config.KubernetesNativeAuth.Enabled {
 		return kubernetes.AuthenticateKubernetesNative(config.KubernetesNativeAuth)
 	} else if config.OpenIdAuth.ProviderUrl != "" {
-		return oidc.AuthenticatePkce(config.OpenIdAuth)
+		return oidc.AuthenticatePkce(config.OpenIdAuth, config.CacheRefreshToken)
 	} else if config.OpenIdDeviceAuth.ProviderUrl != "" {
-		return oidc.AuthenticateDevice(config.OpenIdDeviceAuth)
+		return oidc.AuthenticateDevice(config.OpenIdDeviceAuth, config.CacheRefreshToken)
 	} else if config.OpenIdPasswordAuth.ProviderUrl != "" {
-		return oidc.AuthenticateWithPassword(config.OpenIdPasswordAuth)
+		return oidc.AuthenticateWithPassword(config.OpenIdPasswordAuth, config.CacheRefreshToken)
 	} else if config.OpenIdClientCredentialsAuth.ProviderUrl != "" {
 		return oidc.AuthenticateWithClientCredentials(config.OpenIdClientCredentialsAuth)
 	} else if config.OpenIdKubernetesAuth.ProviderUrl != "" {