@rhysm @benlangfeld you know more than me about OIDC, could you review?

@nov Does this deserve any additions to README? Or is it "if you've set up a JWK cache it'll automagically do the obvious Right Thing, and if not you don't care about this?"

If OIDC login flow is executed very often, it deserve to be added to README too.

OK, I don't know how to review this myself, but I shouldn't have blocked this either. Superficially, makes sense 👍
[I'm just getting too little time for kubeclient, so trying to outsource... nagging is welcome!]

@nov please add at least a CHANGELOG.md entry (as I'm not sure how to explain this change well), and I'll merge.

@nov friendly ping — the only thing blocking merge is I don't know how to explain this change in CHANGELOG.md, please add an entry there 🙏

FYI, #606 is looking to auto-renew credentials, and intends to call OIDCAuthProvider.token on every kubeclient request. We need more eyes on that.

[EDIT: all this time I haven't realized you're are the author of openid_connect 😳 👏 Still, I don't know enough about this area, and I need someone to explain the implications at least to the users...]