[Feature] [Platform] OpenID Refresh (#1908)

Author: ajanikow

CHANGELOG.md

@@ -23,6 +23,7 @@
 - (Maintenance) Grade Doc Field
 - (Feature) (Platform) Improve Platform Components names
 - (Feature) Extend Shared Types
+- (Feature) (Platform) OpenID Refresh Feature
 
 ## [1.2.48](https://github.com/arangodb/kube-arangodb/tree/1.2.48) (2025-05-08)
 - (Maintenance) Extend Documentation

README.md

@@ -88,7 +88,9 @@ covers individual newer features separately.
 
 | Feature | Operator Version | Introduced | ArangoDB Version | ArangoDB Edition | State | Enabled | Flag | Remarks |
 |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |
-| Gateway | 1.2.43 | 1.2.43 | >= 3.8.0 | Community, Enterprise | Alpha | True | N/A | Support for ArangoDeployment Gateway Group |
+| ArangoPlatform OpenID SSO | 1.2.49 | 1.2.49 | >= 3.8.0 | Community, Enterprise | Beta | True | N/A | Support for ArangoPlatform SSO with OpenID |
+| ArangoPlatform OpenID SSO Refresh | 1.2.49 | 1.2.49 | >= 3.8.0 | Community, Enterprise | Alpha | True | N/A | Support for ArangoPlatform SSO with OpenID Refresh |
+| ArangoPlatform | 1.2.49 | 1.2.43 | >= 3.8.0 | Community, Enterprise | Beta | True | N/A | ArangoPlatform Solution with support for ArangoDeployment Gateway Group |
 | Cleanup Imported Backups | 1.2.41 | 1.2.41 | >= 3.8.0 | Community, Enterprise | Production | False | --deployment.feature.backup-cleanup | Cleanup backups created outside of the Operator and imported into Kubernetes ArangoBackup |
 | Upscale resources spec in init containers | 1.2.36 | 1.2.36 | >= 3.8.0 | Community, Enterprise | Production | True | --deployment.feature.init-containers-upscale-resources | Upscale resources spec to built-in init containers if they are not specified or lower |
 | Create backups asynchronously | 1.2.35 | 1.2.41 | >= 3.8.0 | Community, Enterprise | Production | True | --deployment.feature.async-backup-creation | Create backups asynchronously to avoid blocking the operator and reaching the timeout |

docs/api/ArangoPlatform.V1Alpha1.Authentication.OpenID.md

@@ -8,17 +8,27 @@ title: ArangoPlatform V1Alpha1 Authentication OpenID
 
 ## 
 
+### .claims.username
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L254)</sup>
+
+Username defines the claim key to extract username
+
+Default Value: `username`
+
+***
+
 ### .client.id
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L223)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L229)</sup>
 
 ID defines OpenID Client ID
 
 ***
 
 ### .client.secret
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L226)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L232)</sup>
 
 Secret defines OpenID Client Secret
 
@@ -40,9 +50,24 @@ Endpoint defines the OpenID callback Endpoint
 
 ***
 
+### .features.refreshEnabled
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L240)</sup>
+
+> [!WARNING]
+> ***ALPHA***
+> 
+> **Experimental Feature, in development**
+
+RefreshEnabled defines if the Refresh OpenID Functionality is enabled
+
+Default Value: `false`
+
+***
+
 ### .http.insecure
 
-Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L179)</sup>
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L185)</sup>
 
 Insecure defines if insecure HTTP Client is used
 
@@ -52,7 +77,7 @@ Default Value: `false`
 
 ### .provider..authorizationEndpoint
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L210)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L216)</sup>
 
 AuthorizationEndpoint defines OpenID Authorization Endpoint
 
@@ -63,7 +88,7 @@ Links:
 
 ### .provider..tokenEndpoint
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L214)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L220)</sup>
 
 TokenEndpoint defines OpenID Token Endpoint
 
@@ -74,7 +99,7 @@ Links:
 
 ### .provider..userInfoEndpoint
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L218)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L224)</sup>
 
 UserInfoEndpoint defines OpenID UserInfo Endpoint
 
@@ -85,7 +110,7 @@ Links:
 
 ### .provider.issuer
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L204)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L210)</sup>
 
 Issuer defines OpenID Issuer
 

docs/features/README.md

@@ -8,7 +8,9 @@ title: List of all features
 
 | Feature | Operator Version | Introduced | ArangoDB Version | ArangoDB Edition | State | Enabled | Flag | Remarks |
 |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |
-| Gateway | 1.2.43 | 1.2.43 | >= 3.8.0 | Community, Enterprise | Alpha | True | N/A | Support for ArangoDeployment Gateway Group |
+| ArangoPlatform OpenID SSO | 1.2.49 | 1.2.49 | >= 3.8.0 | Community, Enterprise | Beta | True | N/A | Support for ArangoPlatform SSO with OpenID |
+| ArangoPlatform OpenID SSO Refresh | 1.2.49 | 1.2.49 | >= 3.8.0 | Community, Enterprise | Alpha | True | N/A | Support for ArangoPlatform SSO with OpenID Refresh |
+| ArangoPlatform | 1.2.49 | 1.2.43 | >= 3.8.0 | Community, Enterprise | Beta | True | N/A | ArangoPlatform Solution with support for ArangoDeployment Gateway Group |
 | Cleanup Imported Backups | 1.2.41 | 1.2.41 | >= 3.8.0 | Community, Enterprise | Production | False | --deployment.feature.backup-cleanup | Cleanup backups created outside of the Operator and imported into Kubernetes ArangoBackup |
 | Upscale resources spec in init containers | 1.2.36 | 1.2.36 | >= 3.8.0 | Community, Enterprise | Production | True | --deployment.feature.init-containers-upscale-resources | Upscale resources spec to built-in init containers if they are not specified or lower |
 | Create backups asynchronously | 1.2.35 | 1.2.41 | >= 3.8.0 | Community, Enterprise | Production | True | --deployment.feature.async-backup-creation | Create backups asynchronously to avoid blocking the operator and reaching the timeout |

integrations/envoy/auth/v3/impl.go

@@ -36,10 +36,10 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/svc"
 )
 
-func New(config pbImplEnvoyAuthV3Shared.Configuration) svc.Handler {
+func New(ctx context.Context, config pbImplEnvoyAuthV3Shared.Configuration) svc.Handler {
 	return &impl{
 		config:  config,
-		handler: impl2.Factory().Render(config),
+		handler: impl2.Factory().Render(ctx, config),
 	}
 }
 

integrations/envoy/auth/v3/impl/auth_bearer/impl.go

@@ -22,6 +22,7 @@ package auth_bearer
 
 import (
 	"context"
+	"time"
 
 	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 
@@ -33,7 +34,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/strings"
 )
 
-func New(configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3Shared.AuthHandler, bool) {
+func New(ctx context.Context, configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3Shared.AuthHandler, bool) {
 	if !configuration.Extensions.JWT {
 		return nil, false
 	}
@@ -43,32 +44,32 @@ func New(configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3
 	z.configuration = configuration
 	z.authClient = cache.NewObject[pbAuthenticationV1.AuthenticationV1Client](configuration.GetAuthClientFetcher)
 
-	z.cache = cache.NewCache[pbImplEnvoyAuthV3Shared.Token, pbImplEnvoyAuthV3Shared.ResponseAuth](func(ctx context.Context, in pbImplEnvoyAuthV3Shared.Token) (pbImplEnvoyAuthV3Shared.ResponseAuth, error) {
+	z.cache = cache.NewCache[pbImplEnvoyAuthV3Shared.Token, pbImplEnvoyAuthV3Shared.ResponseAuth](func(ctx context.Context, in pbImplEnvoyAuthV3Shared.Token) (pbImplEnvoyAuthV3Shared.ResponseAuth, time.Time, error) {
 		client, err := z.authClient.Get(ctx)
 		if err != nil {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, err
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), err
 		}
 
 		resp, err := client.Validate(ctx, &pbAuthenticationV1.ValidateRequest{
 			Token: string(in),
 		})
 		if err != nil {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, err
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), err
 		}
 
 		if !resp.GetIsValid() {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, errors.Errorf("Invalid Token: %s", resp.GetMessage())
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), errors.Errorf("Invalid Token: %s", resp.GetMessage())
 		}
 
 		if resp.Details == nil {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, errors.Errorf("Missing Details: %s", resp.GetMessage())
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), errors.Errorf("Missing Details: %s", resp.GetMessage())
 		}
 
 		return pbImplEnvoyAuthV3Shared.ResponseAuth{
 			User:  resp.GetDetails().GetUser(),
 			Roles: resp.GetDetails().GetRoles(),
-		}, nil
-	}, pbImplEnvoyAuthV3Shared.DefaultTTL)
+		}, time.Now().Add(pbImplEnvoyAuthV3Shared.DefaultTTL), nil
+	})
 
 	return z, true
 }

integrations/envoy/auth/v3/impl/auth_cookie/impl.go

@@ -24,6 +24,7 @@ import (
 	"context"
 	goHttp "net/http"
 	goStrings "strings"
+	"time"
 
 	pbEnvoyCoreV3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	pbEnvoyAuthV3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
@@ -38,7 +39,7 @@ import (
 
 const JWTAuthorizationCookieName = "X-ArangoDB-Token-JWT"
 
-func New(configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3Shared.AuthHandler, bool) {
+func New(ctx context.Context, configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3Shared.AuthHandler, bool) {
 	if !configuration.Extensions.CookieJWT {
 		logger.Info("Gateway CookieAuth Disabled")
 		return nil, false
@@ -48,32 +49,32 @@ func New(configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3
 
 	z.configuration = configuration
 	z.authClient = cache.NewObject[pbAuthenticationV1.AuthenticationV1Client](configuration.GetAuthClientFetcher)
-	z.cache = cache.NewCache[pbImplEnvoyAuthV3Shared.Token, pbImplEnvoyAuthV3Shared.ResponseAuth](func(ctx context.Context, in pbImplEnvoyAuthV3Shared.Token) (pbImplEnvoyAuthV3Shared.ResponseAuth, error) {
+	z.cache = cache.NewCache[pbImplEnvoyAuthV3Shared.Token, pbImplEnvoyAuthV3Shared.ResponseAuth](func(ctx context.Context, in pbImplEnvoyAuthV3Shared.Token) (pbImplEnvoyAuthV3Shared.ResponseAuth, time.Time, error) {
 		client, err := z.authClient.Get(ctx)
 		if err != nil {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, err
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), err
 		}
 
 		resp, err := client.Validate(ctx, &pbAuthenticationV1.ValidateRequest{
 			Token: string(in),
 		})
 		if err != nil {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, err
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), err
 		}
 
 		if !resp.GetIsValid() {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, errors.Errorf("Invalid Token: %s", resp.GetMessage())
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), errors.Errorf("Invalid Token: %s", resp.GetMessage())
 		}
 
 		if resp.Details == nil {
-			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, errors.Errorf("Missing Details: %s", resp.GetMessage())
+			return pbImplEnvoyAuthV3Shared.ResponseAuth{}, util.Default[time.Time](), errors.Errorf("Missing Details: %s", resp.GetMessage())
 		}
 
 		return pbImplEnvoyAuthV3Shared.ResponseAuth{
 			User:  resp.GetDetails().GetUser(),
 			Roles: resp.GetDetails().GetRoles(),
-		}, nil
-	}, pbImplEnvoyAuthV3Shared.DefaultTTL)
+		}, time.Now().Add(pbImplEnvoyAuthV3Shared.DefaultTTL), nil
+	})
 
 	logger.Info("Gateway CookieAuth Enabled")
 	return z, true

integrations/envoy/auth/v3/impl/auth_custom/impl.go

@@ -21,18 +21,20 @@
 package auth_custom
 
 import (
+	"context"
+
 	"github.com/arangodb/kube-arangodb/integrations/envoy/auth/v3/impl/auth_custom/openid"
 	pbImplEnvoyAuthV3Shared "github.com/arangodb/kube-arangodb/integrations/envoy/auth/v3/shared"
 )
 
-func New(configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3Shared.AuthHandler, bool) {
+func New(ctx context.Context, configuration pbImplEnvoyAuthV3Shared.Configuration) (pbImplEnvoyAuthV3Shared.AuthHandler, bool) {
 	if !configuration.Auth.Enabled {
 		return nil, false
 	}
 
 	switch configuration.Auth.Type {
 	case "OpenID":
-		return openid.New(configuration)
+		return openid.New(ctx, configuration)
 	}
 
 	return nil, false