[RFC-0010] Add provider audience to cache key

matheuscscp · matheuscscp · commit e2be6b8318b6 · 2025-05-17T21:45:53.000+01:00
Signed-off-by: Matheus Pimenta &lt;matheuscscp@gmail.com&gt;
diff --git a/auth/get_token.go b/auth/get_token.go
@@ -45,6 +45,7 @@ func GetToken(ctx context.Context, provider Provider, opts ...Option) (Token, er
 	}
 
 	// Update access token fetcher for a service account if specified.
+	var providerAudience string
 	var providerIdentity string
 	var serviceAccountP *corev1.ServiceAccount
 	if o.ServiceAccount != nil {
@@ -63,7 +64,7 @@ func GetToken(ctx context.Context, provider Provider, opts ...Option) (Token, er
 
 		// Get provider audience.
 		var err error
-		providerAudience, err := provider.GetAudience(ctx, serviceAccount)
+		providerAudience, err = provider.GetAudience(ctx, serviceAccount)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get provider audience: %w", err)
 		}
@@ -131,7 +132,8 @@ func GetToken(ctx context.Context, provider Provider, opts ...Option) (Token, er
 	}
 
 	// Build cache key.
-	cacheKey := buildCacheKey(provider, providerIdentity, artifactRepositoryCacheKey, serviceAccountP, opts...)
+	cacheKey := buildCacheKey(provider, providerAudience, providerIdentity,
+		artifactRepositoryCacheKey, serviceAccountP, opts...)
 
 	// Get involved object details.
 	kind := o.InvolvedObject.Kind
@@ -163,7 +165,7 @@ func newServiceAccountToken(ctx context.Context, client client.Client,
 	return tokenReq.Status.Token, nil
 }
 
-func buildCacheKey(provider Provider, providerIdentity, artifactRepositoryKey string,
+func buildCacheKey(provider Provider, providerAudience, providerIdentity, artifactRepositoryKey string,
 	serviceAccount *corev1.ServiceAccount, opts ...Option) string {
 
 	var o Options
@@ -174,6 +176,7 @@ func buildCacheKey(provider Provider, providerIdentity, artifactRepositoryKey st
 	keyParts = append(keyParts, fmt.Sprintf("provider=%s", provider.GetName()))
 
 	if serviceAccount != nil {
+		keyParts = append(keyParts, fmt.Sprintf("providerAudience=%s", providerAudience))
 		keyParts = append(keyParts, fmt.Sprintf("providerIdentity=%s", providerIdentity))
 		keyParts = append(keyParts, fmt.Sprintf("serviceAccountName=%s", serviceAccount.Name))
 		keyParts = append(keyParts, fmt.Sprintf("serviceAccountNamespace=%s", serviceAccount.Namespace))
diff --git a/auth/get_token_test.go b/auth/get_token_test.go
@@ -325,7 +325,7 @@ func TestGetToken(t *testing.T) {
 					tokenCache, err := cache.NewTokenCache(1)
 					g.Expect(err).NotTo(HaveOccurred())
 
-					const key = "da48da328aa46181e677d76c835b7ca32b5fbf64da01577463d42a2720708ecb"
+					const key = "7dbde7c617cd92ad3187cac7db8587d268aa81402be65fcf67e6f4537c8dcc63"
 					token := &mockToken{token: "cached-token"}
 					cachedToken, ok, err := tokenCache.GetOrSet(ctx, key, func(ctx context.Context) (cache.Token, error) {
 						return token, nil
