Scope
OIDC/SPIFFE tokens expire. The daemon must refresh tokens and the registry must periodically re-verify. This prevents a revoked identity from maintaining network access via a previously-issued token.
Deliverables
- Daemon-side token refresh loop (re-fetch from IdP before expiry)
- Registry-side periodic re-validation (configurable interval, default 1 hour)
- On re-validation failure: remove node from network, emit webhook, audit event
- Graceful handling: warn before forced removal, allow re-auth window
- Session binding: tie network membership to token validity, not just initial join
Files
pkg/daemon/daemon.go — token refresh looppkg/registry/server.go — periodic re-validationtests/ — token expiry and refresh tests
Priority: MEDIUM
Scope
OIDC/SPIFFE tokens expire. The daemon must refresh tokens and the registry must periodically re-verify. This prevents a revoked identity from maintaining network access via a previously-issued token.
Deliverables
Files
pkg/daemon/daemon.go— token refresh looppkg/registry/server.go— periodic re-validationtests/— token expiry and refresh testsPriority: MEDIUM