Refreshing API Token through Terraform login fails if current token is expired

[iam-take]

Bug description 🐞

When you use Terraform Login to generate a Token to authenticate you machine against Terrakube this works fine. The token depending on your Dex configuration will have a certain lifespan (by default 24H) .

The thing next I am not sure if this a Terrakube of Terraform CLI issue is that when this token has reached it's time limit will have expired and you can't authenticate against Terrakube. This is expected behaviour, however when you want to recreate a token through Terraform Login you will receive a error 401 Unauthorized. Although it seems reasonable since the token is expired the other thought is that you are able to authenticate when you do not have a token. So I would think there is some mechanism to allow renewal of a existing token. I do not have any other environment to which I can compare this to.

If this is default Terraform CLI behaviour feel free to close this bug 😄

│ Error: Service discovery failed for terrakube.xx.xxxxx.xx
│
│ failed to request discovery document: 401 Unauthorized.

Steps to reproduce

Run Terraform Login
Let the token Expire ( wait 24 with default configuration )
Run Terraform Login again a error will show

Expected behavior

I would expect that although the current token is expired you would be able to retreive a new token if you are able to authenticate against Terrakube. So a login flow should be started.

Example repository

No response

Anything else?

Workaround ofcourse is using self generated API Tokens from the Terrakube UI or API directly in this file instead of using terraform login.

[alfespa17]

Hello @iam-take

When you run terraform login the terraform cli send a request with an empty bearer token to this endpoint https://terrakube-api.minikube.net/.well-known/terraform.json because it didn't find any token in your credentials.tfrc.json. This endpoint is public and does not have any authorization in spring security

Once you have a token in your credentials.tfrc.json the terraform cli take the expired token from credentials.tfrc.json and send the same request with the bearer token to https://terrakube-api.minikube.net/.well-known/terraform.json where spring security take the token and check if the token is valid even if the endpoint does not require any kind of authorization and that is the reason you see the HTTP 401 error.

I tried to fixed this a long time ago but I was not able to find a way to change that behavior spring security configuration and as you mentioned the workaround is to use a PAT or simple delete the token from your credentials.tfrc.json.

We can leave this issue open and maybe in the future we can find a way to fix it, for now this issue can be used as a reference for someone else having the same problem.