Skip to content
🛥️🐳 KSail

ksail oidc get-token

Get an OIDC token for Kubernetes authentication.


This command implements the client.authentication.k8s.io/v1 ExecCredential protocol.
It is intended to be used as a kubeconfig exec credential plugin, not called directly.


The token acquisition flow:
  1. Check the local cache for a valid token
  2. If expired, attempt to refresh using the stored refresh token
  3. If no valid token, start the browser-based authorization code flow with PKCE
  4. Output the ExecCredential JSON to stdout


Usage:
  ksail oidc get-token [flags]


Flags:
      --ca-file string        Path to CA certificate for self-signed OIDC providers
      --client-id string      OIDC client ID (required)
      --extra-scope strings   Additional OIDC scopes
      --issuer-url string     OIDC provider issuer URL (required)


Global Flags:
      --benchmark       Show per-activity benchmark output
      --config string   Path to config file (default: ksail.yaml found via directory traversal)