From a8914b73a12583c29bdee333528a55a5b3e5db1f Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang.m@gmail.com>
Date: Mon, 25 Sep 2017 09:57:16 -0700
Subject: [PATCH] oidc client auth: better error when refresh response is
 missing id_token

---
 .../k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
index 27ba722a6b..1fe52c5241 100644
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
@@ -258,7 +258,11 @@ func (p *oidcAuthProvider) idToken() (string, error) {
 
 	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
-		return "", fmt.Errorf("token response did not contain an id_token")
+		// id_token isn't a required part of a refresh token response, so some
+		// providers (Okta) don't return this value.
+		//
+		// See https://github.com/kubernetes/kubernetes/issues/36847
+		return "", fmt.Errorf("token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.")
 	}
 
 	// Create a new config to persist.