Skip to content

feat: add support for caching refresh token in armadactl#4490

Merged
dejanzele merged 2 commits intoarmadaproject:masterfrom
dejanzele:feat/armadactl-cache-token
Jan 16, 2026
Merged

feat: add support for caching refresh token in armadactl#4490
dejanzele merged 2 commits intoarmadaproject:masterfrom
dejanzele:feat/armadactl-cache-token

Conversation

@dejanzele
Copy link
Member

@dejanzele dejanzele commented Oct 3, 2025
edited
Loading

What type of PR is this?

Feature which adds OIDC refresh token caching in armadactl.

What this PR does / why we need it:

Adds token caching for OIDC auth so you don't have to authenticate in the browser every single time you run armadactl.

Currently it's super annoying - every command opens the browser for auth.
This PR fixes that by securely caching the refresh token in your system keyring (Keychain on mac, etc).
After you auth once, subsequent commands just work without the browser popup.

The implementation is secure - only uses the OS keyring, never falls back to files.
If there's no keyring available, caching just gets disabled.

To use it, just add cacheRefreshToken: true to your context in ~/.armadactl.yaml:

contexts:
  my-context:
    cacheRefreshToken: true
    openIdAuth:
      providerUrl: "http://localhost:8180/realms/armada"
      clientId: "armada-server"
      localPort: 8085
      scopes: ["openid", "profile", "email", "offline_access"]

Make sure to add offline_access scope so refresh token is returned from the IDP.

Which issue(s) this PR fixes:

Fixes #4487

Special notes

armadactl MUST be built with CGO_ENABLED=1 for this to work properly.

@dejanzele dejanzele force-pushed the feat/armadactl-cache-token branch 2 times, most recently from 13c61aa to c35aeb7 Compare October 3, 2025 08:06
@dejanzele dejanzele changed the title add support for caching refresh token in armadactl feat: add support for caching refresh token in armadactl Oct 8, 2025
nikola-jokic
nikola-jokic previously approved these changes Nov 28, 2025
View reviewed changes
nikola-jokic
nikola-jokic previously approved these changes Dec 16, 2025
View reviewed changes
@dejanzele dejanzele force-pushed the feat/armadactl-cache-token branch 4 times, most recently from cf746b3 to 341710b Compare January 13, 2026 15:39
nikola-jokic
nikola-jokic previously approved these changes Jan 13, 2026
View reviewed changes
@dejanzele dejanzele force-pushed the feat/armadactl-cache-token branch from 341710b to 5d3d080 Compare January 14, 2026 20:54
nikola-jokic
nikola-jokic previously approved these changes Jan 14, 2026
View reviewed changes
@dejanzele dejanzele force-pushed the feat/armadactl-cache-token branch from 5d3d080 to ae3dd27 Compare January 14, 2026 21:04
@dejanzele dejanzele force-pushed the feat/armadactl-cache-token branch from ae3dd27 to c024772 Compare January 16, 2026 02:20
@dejanzele
feat(armadactl): add OIDC refresh token caching
af92a0b 
Add token caching for OIDC auth to avoid repeated browser authentication.
The refresh token is securely stored in the system keyring (macOS Keychain,
Windows Credential Manager, Linux Secret Service).

To enable, add `cacheRefreshToken: true` to your context in ~/.armadactl.yaml
and include `offline_access` in your scopes.

Note: armadactl must be built with CGO_ENABLED=1 on macOS for keychain access.

Signed-off-by: Dejan Zele Pejchev <pejcev.dejan@gmail.com>
@dejanzele dejanzele force-pushed the feat/armadactl-cache-token branch from c024772 to af92a0b Compare January 16, 2026 02:22
@dejanzele dejanzele enabled auto-merge (squash) January 16, 2026 11:48
@dejanzele dejanzele merged commit 8f00ba7 into armadaproject:master Jan 16, 2026
14 checks passed
Sigele pushed a commit to Sigele/armada that referenced this pull request Jan 30, 2026
@dejanzele
feat: add support for caching refresh token in armadactl (armadaproje…
c38633e 
…ct#4490)

#### What type of PR is this?
Feature which adds OIDC refresh token caching in armadactl.

#### What this PR does / why we need it:

Adds token caching for OIDC auth so you don't have to authenticate in
the browser every single time you run armadactl.

Currently it's super annoying - every command opens the browser for
auth.
This PR fixes that by securely caching the refresh token in your system
keyring (Keychain on mac, etc).
After you auth once, subsequent commands just work without the browser
popup.

The implementation is secure - only uses the OS keyring, never falls
back to files.
If there's no keyring available, caching just gets disabled.

To use it, just add `cacheRefreshToken: true` to your context in
`~/.armadactl.yaml`:

  ```yaml
  contexts:
    my-context:
      cacheRefreshToken: true
      openIdAuth:
        providerUrl: "http://localhost:8180/realms/armada"
        clientId: "armada-server"
        localPort: 8085
        scopes: ["openid", "profile", "email", "offline_access"]
```

Make sure to add `offline_access` scope so refresh token is returned from the IDP.

#### Which issue(s) this PR fixes:

Fixes armadaproject#4487

#### Special notes

`armadactl` MUST be built with `CGO_ENABLED=1` for this to work properly.

Signed-off-by: Dejan Zele Pejchev <pejcev.dejan@gmail.com>
Signed-off-by: Sigele Nickerson-Adams <sigele.nickerson-adams@nmc2.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JamesMurkin JamesMurkin JamesMurkin approved these changes

@nikola-jokic nikola-jokic nikola-jokic left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Armadactl doesn't cache OIDC tokens

3 participants

@dejanzele @JamesMurkin @nikola-jokic