OpenShiftOAuthInterceptor should not refresh on `403` response code

[rohanKanojia]

Is your task related to a problem? Please describe

Originally posted by @shawkins in an internal conversation:

the openshift logic will force a refresh for 401 and 403, but the kuberentes logic is only for 401 - do you know if this is intentional or should we do some digging in kubectl and oc

OpenShiftOAuthInterceptor seems to proceed with token refresh on either getting 401 (UNAUTHORIZED) or 403 (FORBIDDEN) response codes:

kubernetes-client/openshift-client/src/main/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.java

Line 198 in ddfab72

return response.code() != HTTP_UNAUTHORIZED && response.code() != HTTP_FORBIDDEN;

However, there is no mention of handing 403 in RFC 6749.

In kubectl source I only see 401 being handled for refresh.

In oc source, I'm not able to see 403 referenced either.

Describe the solution you'd like

OpenShiftOAuthInterceptor should only refresh when 401 status code is encountered.

Describe alternatives you've considered

No response

Additional context

No response

[jpraet]

This change seems to be breaking my application when upgrading from 6.5.0 to 6.5.1?

Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://paas.***.be:443/apis/template.openshift.io/v1/namespaces/cbss-test-custom-jobs/templates. Message: templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=template.openshift.io, kind=templates, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:238)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:546)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:424)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:392)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.list(BaseOperation.java:93)
	at be.fgov.kszbcss.batch.client.OpenShiftJobClient.listJobTemplates(OpenShiftJobClient.java:61)
	at be.fgov.kszbcss.batch.cli.ListJobCommand.call(ListJobCommand.java:11)
	at be.fgov.kszbcss.batch.cli.ListJobCommand.main(ListJobCommand.java:27)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://paas.***.be:443/apis/template.openshift.io/v1/namespaces/cbss-test-custom-jobs/templates. Message: templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=template.openshift.io, kind=templates, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=templates.template.openshift.io is forbidden: User "system:anonymous" cannot list templates.template.openshift.io in the namespace "cbss-test-custom-jobs": no RBAC policy matched, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:701)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:681)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:630)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:591)
	at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
	at io.fabric8.kubernetes.client.http.StandardHttpClient.lambda$completeOrCancel$5(StandardHttpClient.java:120)
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
	at io.fabric8.kubernetes.client.http.ByteArrayBodyHandler.onBodyDone(ByteArrayBodyHandler.java:52)
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)
	at io.fabric8.kubernetes.client.okhttp.OkHttpClientImpl$OkHttpAsyncBody.doConsume(OkHttpClientImpl.java:135)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)