From 02434673bd8a358270906a3524579b724f60a4ec Mon Sep 17 00:00:00 2001
From: Diego Ciangottini <diego.ciangottini@pg.infn.it>
Date: Tue, 18 Jul 2023 12:21:30 +0000
Subject: [PATCH] edit refresh token for oidc

---
 kustomizations/deployment.yaml |  6 ++++--
 scripts/refresh.py             | 11 ++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/kustomizations/deployment.yaml b/kustomizations/deployment.yaml
index cb92c448..623c09a0 100644
--- a/kustomizations/deployment.yaml
+++ b/kustomizations/deployment.yaml
@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: inttw-vk
-        image: ghcr.io/intertwin-eu/virtual-kubelet-inttw:0.0.1-pre9
+        image: ghcr.io/intertwin-eu/virtual-kubelet-inttw:0.0.1-pre11
         imagePullPolicy: Always
         args:
         - --nodename
@@ -64,7 +64,7 @@ spec:
             cpu: 2000m
             memory: 2Gi
       - name: refresh-token
-        image: ghcr.io/intertwin-eu/virtual-kubelet-inttw-refresh:0.0.1-pre9
+        image: ghcr.io/intertwin-eu/virtual-kubelet-inttw-refresh:0.0.1-pre11
         imagePullPolicy: Always
         env:
         - name: IAM_SERVER
@@ -74,6 +74,8 @@ spec:
           value: "DUMMY"
         - name: IAM_CLIENT_SECRET
           value: "DUMMY"
+        - name: IAM_REFRESH_TOKEN
+          value: "DUMMY"
         - name: IAM_VK_AUD
           value: intertw-vk
         - name: TOKEN_PATH
diff --git a/scripts/refresh.py b/scripts/refresh.py
index 8e0b9313..84ae1c46 100644
--- a/scripts/refresh.py
+++ b/scripts/refresh.py
@@ -18,6 +18,7 @@
             "IAM_SERVER", "https://cms-auth.web.cern.ch/")
         iam_client_id = os.environ.get("IAM_CLIENT_ID")
         iam_client_secret = os.environ.get("IAM_CLIENT_SECRET")
+        iam_refresh_token = os.environ.get("IAM_REFRESH_TOKEN")
         audience = os.environ.get("IAM_VK_AUD")
         output_file = os.environ.get("TOKEN_PATH", "/opt/interlink/token")
     except Exception as ex:
@@ -31,11 +32,11 @@
             request_data = {
                 "client_id": iam_client_id,
                 "client_secret": iam_client_secret,
-                "grant_type": "client_credentials",
-                "username": "not_needed",
-                "password": "not_needed",
-                "scope": "openid profile email iam groups groups:intw",
-                "aud": audience
+                "grant_type": "refresh_token",
+                "username": iam_client_id,
+                "password": iam_client_secret,
+                "refresh_token": iam_refresh_token,
+                "scope": "openid profile email address phone offline_access"
             }
             r = requests.post(iam_server+"token", data=request_data)
             response = json.loads(r.text)