kubernetes: OIDC cache returns old token even after the expiration of refresh token in k8s go-client oidc auth provider

What happened: When a client’s oidc token has expired, even on passing the latest token to create a client, newOIDCAuthProvider() returns the old client with the expired tokens.

In https://github.com/kubernetes/client-go/blob/79226fe1949a01066ee9e3a3f4c53546d72e1194/plugin/pkg/client/auth/oidc/oidc.go#L122 newOIDCAuthProvider()

Cached Client is retrieved as shown below

// Check cache for existing provider. if provider, ok := cache.getClient(issuer, clientID); ok { return provider, nil }

However, when after token expiration, when we make a new call to create a client, the refresh token would be different. Since we use (key := cacheKey{issuer, clientID}) as cached key in this case it will still return old token.

What you expected to happen: On passing the new refresh token, the code should return new client

How to reproduce it (as minimally and precisely as possible):

1. Create a go-client to a cluster with oidc based auth
2. Use the client for cluster based operations, this verifies client works.
3. Do not stop the process using the client.
4. After the token expiry, the code will use the new Kubeconfig with the new token to create a new client.
5. Use the client for cluster based operation. It will fail with token expired error.

Anything else we need to know?: Similar issue opened few years back. https://github.com/kubernetes/client-go/issues/268

Environment:

• Go client version. @k8s.io/client-go v11.0.0
• Kubernetes version (use kubectl version): 1.14.1
• Cloud provider or hardware configuration:
• OS (e.g: cat /etc/os-release): Ubuntu
• Kernel (e.g. uname -a): 4.15.0-1037-aws
• Install tools:
• Network plugin and version (if this is a network-related bug):
• Others:

/sig auth @liggitt