Improve OidcTokenProvider error handling and expiry setting

tg123 · tg123 · commit dffc59e5cefa · 2025-02-21T01:48:20.000-08:00
The constructor `OidcTokenProvider` now always sets the `_expiry`
field by calling `GetExpiryFromToken()`, regardless of whether
`_idToken` is null or empty, removing the previous check for a
non-empty `_idToken`.

The `GetExpiryFromToken` method has been updated to handle invalid
JWT token formats more gracefully. Instead of throwing an
`ArgumentException` when the token format is invalid or when the
'exp' claim is missing, the method now returns a default value.

The logic for parsing the JWT token and extracting the 'exp' claim
has been wrapped in a try-catch block. If any exception occurs
during this process, it is caught, and the method returns a default
value instead of throwing an exception.
diff --git a/src/KubernetesClient/Authentication/OidcTokenProvider.cs b/src/KubernetesClient/Authentication/OidcTokenProvider.cs
@@ -22,11 +22,7 @@ public OidcTokenProvider(string clientId, string clientSecret, string idpIssuerU
             _idpIssuerUrl = idpIssuerUrl;
             _idToken = idToken;
             _refreshToken = refreshToken;
-
-            if (!string.IsNullOrEmpty(_idToken))
-            {
-                _expiry = GetExpiryFromToken();
-            }
+            _expiry = GetExpiryFromToken();
         }
 
         public async Task<AuthenticationHeaderValue> GetAuthenticationHeaderAsync(CancellationToken cancellationToken)
@@ -44,24 +40,28 @@ private DateTimeOffset GetExpiryFromToken()
             var parts = _idToken.Split('.');
             if (parts.Length != 3)
             {
-                throw new ArgumentException("Invalid JWT token format.");
+                return default;
             }
 
-            var payload = parts[1];
-            var jsonBytes = Base64UrlDecode(payload);
-            var json = Encoding.UTF8.GetString(jsonBytes);
-
-            using var document = JsonDocument.Parse(json);
-            if (document.RootElement.TryGetProperty("exp", out var expElement))
+            try
             {
-                var exp = expElement.GetInt64();
-                var expiryDateTime = DateTimeOffset.FromUnixTimeSeconds(exp);
-                return expiryDateTime;
+                var payload = parts[1];
+                var jsonBytes = Base64UrlDecode(payload);
+                var json = Encoding.UTF8.GetString(jsonBytes);
+
+                using var document = JsonDocument.Parse(json);
+                if (document.RootElement.TryGetProperty("exp", out var expElement))
+                {
+                    var exp = expElement.GetInt64();
+                    return DateTimeOffset.FromUnixTimeSeconds(exp);
+                }
             }
-            else
+            catch
             {
-                throw new ArgumentException("JWT token does not contain 'exp' claim.");
+                // ignore to default
             }
+
+            return default;
         }
 
         private static byte[] Base64UrlDecode(string input)
