Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetToken ¶
func GetToken(ctx context.Context, log *logrus.Entry, oc *api.OpenShiftCluster, resource string) (*adal.ServicePrincipalToken, error)
GetToken authenticates in the customer's tenant as the cluster service principal and returns a token. It retries in the cases below. Unfortunately there doesn't seem to be a way to distinguish whether these cases occur due to misconfiguration or AAD propagation delays.
1. `{"error": "unauthorized_client", "error_description": "AADSTS700016: Application with identifier 'xxx' was not found in the directory 'xxx'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. ...", "error_codes": [700016]}`. This can be an indicator of AAD propagation delay.
2. Lack of an altsecid, puid or oid claim in the token. Continuing would subsequently cause the ARM error `Code="InvalidAuthenticationToken" Message="The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as an application please make sure service principal is properly created in the tenant."`. I think this can be returned when the service principal associated with the application hasn't yet caught up with the application itself.
3. Network failures. If the error is not an adal.TokenRefreshError, then it's likely a transient failure. For example, connection reset by peer.
Types ¶
This section is empty.
Source Files