fix: support opaque access tokens

pkg/oidc/client/client.go

@@ -81,22 +81,12 @@ func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce str
 			return nil, fmt.Errorf("access_token is missing in the token response: %#v", accessToken)
 		}
 
-		// We intentionally do not perform a ClientID check here because there
-		// are some use cases in access_tokens where we *expect* the audience
-		// to differ. For example, one can explicitly set
-		// `audience=CLUSTER_CLIENT_ID` as an extra auth parameter.
-		verifier = c.provider.Verifier(&gooidc.Config{ClientID: "", Now: c.clock.Now, SkipClientIDCheck: true})
-
-		_, err := verifier.Verify(ctx, accessToken)
-		if err != nil {
-			return nil, fmt.Errorf("could not verify the access token: %w", err)
-		}
-
 		// There is no `nonce` to check on the `access_token`. We rely on the
 		// above `nonce` check on the `id_token`.
-
+		// Opaque access tokens are valid under OIDC, thus we cannot verify it without making calls to provider-specific endpoints.
 		return &oidc.TokenSet{
-			IDToken:      accessToken,
+			IDToken:      idToken,
+			AccessToken:  token.AccessToken,
 			RefreshToken: token.RefreshToken,
 		}, nil
 	}

pkg/oidc/oidc.go

@@ -33,13 +33,21 @@ const (
 // TokenSet represents a set of ID token and refresh token.
 type TokenSet struct {
 	IDToken      string
+	AccessToken  string
 	RefreshToken string
 }
 
 func (ts TokenSet) DecodeWithoutVerify() (*jwt.Claims, error) {
 	return jwt.DecodeWithoutVerify(ts.IDToken)
 }
 
+func (p *Provider) SelectToken(ts *TokenSet) string {
+	if p.UseAccessToken {
+		return ts.AccessToken
+	}
+	return ts.IDToken
+}
+
 func NewState() (string, error) {
 	b, err := random32()
 	if err != nil {

pkg/tokencache/repository/repository.go

@@ -32,6 +32,7 @@ type Interface interface {
 
 type entity struct {
 	IDToken      string `json:"id_token,omitempty"`
+	AccessToken  string `json:"access_token,omitempty"`
 	RefreshToken string `json:"refresh_token,omitempty"`
 }
 
@@ -98,6 +99,7 @@ func decodeKey(b []byte) (*oidc.TokenSet, error) {
 	}
 	return &oidc.TokenSet{
 		IDToken:      e.IDToken,
+		AccessToken:  e.AccessToken,
 		RefreshToken: e.RefreshToken,
 	}, nil
 }
@@ -196,6 +198,7 @@ func (r *Repository) DeleteAll(config tokencache.Config) error {
 func encodeKey(tokenSet oidc.TokenSet) ([]byte, error) {
 	e := entity{
 		IDToken:      tokenSet.IDToken,
+		AccessToken:  tokenSet.AccessToken,
 		RefreshToken: tokenSet.RefreshToken,
 	}
 	return json.Marshal(&e)

pkg/usecases/credentialplugin/get_token.go

@@ -96,7 +96,7 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 			if !claims.IsExpired(u.Clock) {
 				u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
 				out := credentialplugin.Output{
-					Token:                          cachedTokenSet.IDToken,
+					Token:                          in.Provider.SelectToken(cachedTokenSet),
 					Expiry:                         claims.Expiry,
 					ClientAuthenticationAPIVersion: credentialPluginInput.ClientAuthenticationAPIVersion,
 				}
@@ -130,7 +130,7 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 	}
 	u.Logger.V(1).Infof("writing the token to client-go")
 	out := credentialplugin.Output{
-		Token:                          authenticationOutput.TokenSet.IDToken,
+		Token:                          in.Provider.SelectToken(&authenticationOutput.TokenSet),
 		Expiry:                         idTokenClaims.Expiry,
 		ClientAuthenticationAPIVersion: credentialPluginInput.ClientAuthenticationAPIVersion,
 	}