fix #5298: using an invalid token to trigger refresh (#5311)

CHANGELOG.md

@@ -3,6 +3,7 @@
 ### 6.8-SNAPSHOT
 
 #### Bugs
+* Fix #5298: Prevent requests needing authentication from causing a 403 response
 * Fix #5221: Empty kube config file causes NPE
 * Fix #5281: Ensure the KubernetesCrudDispatcher's backing map is accessed w/lock
 * Fix #5293: Ensured the mock server uses only generic or JsonNode parsing

kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/utils/TokenRefreshInterceptor.java

@@ -69,6 +69,9 @@ public void before(BasicBuilder headerBuilder, HttpRequest request, RequestTags
 
     if (Utils.isNotNullOrEmpty(token)) {
       headerBuilder.header(AUTHORIZATION, "Bearer " + token);
+    } else if (useRemoteRefresh(config)) {
+      // trigger a 401, rather than attempting an unauthenticated request
+      headerBuilder.header(AUTHORIZATION, "Bearer invalid");
     }
     if (isTimeToRefresh()) {
       refreshToken(headerBuilder);

openshift-client/src/test/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptorTest.java

@@ -42,7 +42,6 @@
 import static java.net.HttpURLConnection.HTTP_UNAUTHORIZED;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Answers.RETURNS_SELF;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
@@ -69,7 +68,7 @@ void testBasicAuthNotUsed() {
 
     interceptor.before(builder, builder.build(), null);
 
-    assertTrue(builder.build().headers(TokenRefreshInterceptor.AUTHORIZATION).isEmpty());
+    assertEquals("Bearer invalid", builder.build().header(TokenRefreshInterceptor.AUTHORIZATION));
   }
 
   @Test