Token cache key does not include oidc-auth-request-extra-params #1496
Description
Problem
The token cache key computation does not include the --oidc-auth-request-extra-params flag values. This causes tokens with different extra parameters (e.g., different audience values) to incorrectly share the same cache entry.
Expected Behavior
Tokens requested with different --oidc-auth-request-extra-params values should be cached separately, as they represent fundamentally different tokens.
For example:
kubelogin get-token --oidc-auth-request-extra-params audience=api1kubelogin get-token --oidc-auth-request-extra-params audience=api2
These should produce different cache entries since they request tokens for different audiences.
Actual Behavior
Both commands above would use the same cache key because AuthRequestExtraParams is not included in the tokencache.Key struct used by computeChecksum().
Root Cause
In pkg/tokencache/types.go, the Key struct only contains:
type Key struct {
Provider oidc.Provider
TLSClientConfig tlsclientconfig.Config
Username string
}The AuthRequestExtraParams from pkg/cmd/authentication.go is passed to the authentication grants but never included in the cache key computation.
Proposed Solution
Add AuthRequestExtraParams map[string]string to the tokencache.Key struct and ensure it's populated when constructing the cache key.
Related
Possibly related to #29 (users experiencing cache collision issues when switching contexts)