Update UAA token refresh logic

Ensures a pre-established, intentionally non-secret, string is used
in the token exchange request as the client secret to ensure the refresh
token obtained is reusable.

Signed-off-by: Vui Lam <[email protected]>

pkg/auth/common/login_handler.go

@@ -123,12 +123,15 @@ func WithCertInfo(tlsSkipVerify bool, caCertData string) LoginOption {
 	}
 }
 
-// WithClientID specifies a OAuth Client ID to use
-func WithClientID(clientID string) LoginOption {
+// WithClientIDAndSecret specifies a OAuth Client ID and secret to use
+func WithClientIDAndSecret(clientID, clientSecret string) LoginOption {
 	return func(h *TanzuLoginHandler) error {
 		h.clientID = clientID
+		h.clientSecret = clientSecret
 		if h.oauthConfig != nil {
 			h.oauthConfig.ClientID = clientID
+			//
+			h.oauthConfig.ClientSecret = clientSecret
 		}
 		return nil
 	}

pkg/auth/uaa/tanzu.go

@@ -35,6 +35,17 @@ func getIssuerEndpoints(issuerURL string) common.IssuerEndPoints {
 	}
 }
 
+func GetClientSecret() string {
+	// Not really used as a secret, but specified in OAuth client to UAA in order
+	// to obtain the expected token refresh behavior.
+	secret := "tanzu_intentionally_not_a_secret"
+
+	if noClientSecret, _ := strconv.ParseBool(os.Getenv(constants.UAANoClientSecret)); noClientSecret {
+		secret = ""
+	}
+	return secret
+}
+
 func GetAlternateClientID() string {
 	// Default to use the same client id, even for non-interactive login use cases.
 	clientID := tanzuCLIClientID

pkg/auth/uaa/uaa.go

@@ -15,7 +15,7 @@ func GetTokens(refreshOrAPIToken, _, issuer, tokenType string) (*common.Token, e
 	if tokenType == common.APITokenType {
 		clientID = GetAlternateClientID()
 	}
-	loginOptions := []common.LoginOption{common.WithRefreshToken(refreshOrAPIToken), common.WithListenerPortFromEnv(constants.TanzuCLIOAuthLocalListenerPort), common.WithClientID(clientID)}
+	loginOptions := []common.LoginOption{common.WithRefreshToken(refreshOrAPIToken), common.WithListenerPortFromEnv(constants.TanzuCLIOAuthLocalListenerPort), common.WithClientIDAndSecret(clientID, GetClientSecret())}
 	if tokenType == common.APITokenType {
 		loginOptions = append(loginOptions, common.WithSuppressInteractive(true))
 	}

pkg/command/apitoken.go

@@ -75,7 +75,7 @@ func createAPIToken(cmd *cobra.Command, _ []string) (err error) {
 	// Also specify the client ID to use for token generation
 	loginOptions := []commonauth.LoginOption{
 		commonauth.WithListenerPortFromEnv(constants.TanzuCLIOAuthLocalListenerPort),
-		commonauth.WithClientID(uaa.GetAlternateClientID()),
+		commonauth.WithClientIDAndSecret(uaa.GetAlternateClientID(), uaa.GetClientSecret()),
 	}
 
 	token, err = uaa.TanzuLogin(c.GlobalOpts.Auth.Issuer, loginOptions...)

pkg/command/context.go

@@ -736,7 +736,7 @@ func doUAAAPITokenAuthAndUpdateContext(c *configtypes.Context, uaaEndpoint, apiT
 	loginOptions := []commonauth.LoginOption{
 		commonauth.WithSuppressInteractive(true), // fail instead of falling back to interactive login
 		commonauth.WithRefreshToken(apiTokenValue),
-		commonauth.WithClientID(uaa.GetAlternateClientID()),
+		commonauth.WithClientIDAndSecret(uaa.GetAlternateClientID(), uaa.GetClientSecret()),
 	}
 
 	var endpointCACertData string

pkg/constants/env_variables.go

@@ -69,6 +69,9 @@ const (
 	// UAAUseAlternateClient allows use of an alternate UAA client for non-interactive logins
 	UAAUseAlternateClient = "TANZU_CLI_USE_ALTERNATE_UAA_CLIENT"
 
+	// UAANoClientSecret skips setting of OAuth Client Secret
+	UAANoClientSecret = "TANZU_CLI_NO_UAA_CLIENT_SECRET" //nolint:gosec
+
 	// TanzuCLIOAuthLocalListenerPort is the port to be used by local listener for OAuth authorization flow
 	TanzuCLIOAuthLocalListenerPort = "TANZU_CLI_OAUTH_LOCAL_LISTENER_PORT"