always initialize idp token endpoint for service accounts

MichaelEischer · MichaelEischer · commit c98d4cd0a3af · 2026-03-03T11:57:38.000+01:00
diff --git a/internal/cmd/ske/kubeconfig/login/login.go b/internal/cmd/ske/kubeconfig/login/login.go
@@ -317,11 +317,6 @@ func getAccessToken(params *types.CmdParams) (string, error) {
 		return "", &cliErr.SessionExpiredError{}
 	}
 
-	err = auth.EnsureIDPTokenEndpoint(params.Printer)
-	if err != nil {
-		return "", err
-	}
-
 	return accessToken, nil
 }
 
diff --git a/internal/pkg/auth/auth.go b/internal/pkg/auth/auth.go
@@ -216,18 +216,3 @@ func GetValidAccessToken(p *print.Printer) (string, error) {
 	// Return the new access token
 	return utf.accessToken, nil
 }
-
-// EnsureIDPTokenEndpoint ensures that the `IDP_TOKEN_ENDPOINT` auth field is set.
-// This field is by default only initialized for user accounts. Call this method to also
-// initialize it for service accounts.
-func EnsureIDPTokenEndpoint(p *print.Printer) error {
-	idpTokenEndpoint, err := GetAuthField(IDP_TOKEN_ENDPOINT)
-	if err != nil {
-		return fmt.Errorf("failed to check idp token endpoint configuration value: %w", err)
-	}
-	if idpTokenEndpoint == "" {
-		_, err := retrieveIDPWellKnownConfig(p)
-		return err
-	}
-	return nil
-}
diff --git a/internal/pkg/auth/service_account.go b/internal/pkg/auth/service_account.go
@@ -36,6 +36,14 @@ var _ http.RoundTripper = &keyFlowWithStorage{}
 // It returns the email associated with the service account
 // If disableWriting is set to true the credentials are not stored on disk (keyring, file).
 func AuthenticateServiceAccount(p *print.Printer, rt http.RoundTripper, disableWriting bool) (email, accessToken string, err error) {
+	if !disableWriting {
+		// Ensure idp token endpoint is set
+		_, err = retrieveIDPWellKnownConfig(p)
+		if err != nil {
+			return "", "", err
+		}
+	}
+
 	authFields := make(map[authFieldKey]string)
 	var authFlowType AuthFlow
 	switch flow := rt.(type) {
@@ -80,8 +88,6 @@ func AuthenticateServiceAccount(p *print.Printer, rt http.RoundTripper, disableW
 		return "", "", fmt.Errorf("compute session expiration timestamp: %w", err)
 	}
 	authFields[SESSION_EXPIRES_AT_UNIX] = sessionExpiresAtUnix
-	// clear idp token endpoint as it is not set by default for service accounts
-	authFields[IDP_TOKEN_ENDPOINT] = ""
 
 	if !disableWriting {
 		err = SetAuthFlow(authFlowType)
diff --git a/internal/pkg/auth/service_account_test.go b/internal/pkg/auth/service_account_test.go
@@ -153,6 +153,7 @@ func TestAuthenticateServiceAccount(t *testing.T) {
 			}
 
 			p := print.NewPrinter()
+			p.AssumeYes = true
 			email, _, err := AuthenticateServiceAccount(p, flow, false)
 
 			if !tt.isValid {

Original file line number	Diff line number	Diff line change
`@@ -317,11 +317,6 @@ func getAccessToken(params *types.CmdParams) (string, error) {`
`317`	`317`	`return "", &cliErr.SessionExpiredError{}`
`318`	`318`	`}`
`319`	`319`
`320`		`- err = auth.EnsureIDPTokenEndpoint(params.Printer)`
`321`		`- if err != nil {`
`322`		`- return "", err`
`323`		`- }`
`324`		`-`
`325`	`320`	`return accessToken, nil`
`326`	`321`	`}`
`327`	`322`
Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,7 @@ func TestAuthenticateServiceAccount(t *testing.T) {`
`153`	`153`	`}`
`154`	`154`
`155`	`155`	`p := print.NewPrinter()`
	`156`	`+ p.AssumeYes = true`
`156`	`157`	`email, _, err := AuthenticateServiceAccount(p, flow, false)`
`157`	`158`
`158`	`159`	`if !tt.isValid {`