hashicorp · tobias-hashicorp · Oct 27, 2023 · Oct 18, 2023 · Oct 18, 2023 · Oct 25, 2023
diff --git a/.changelog/205.txt b/.changelog/205.txt
@@ -0,0 +1,9 @@
+```release-note:improvement
+All credentials (login, service-principal and workload identity provider) are now cached.
+
+The cache file has moved to `creds-cache.json` to not interfere with applications that rely on the previous cache file
+structure.
+
+It is further now possible to enforce an interactive login (via a configuration flag), which can be used to implement a
+`cli login` functionality.
+```
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ User session is ideal for getting started or one-off usage. It also works for lo
 
 To obtain user credentials, the client credential environment variables `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` must be unset. When no client credentials are detected, the HCP Go client will prompt the user with a browser login window. Once authenticated, the user session stays refreshed without intervention until it expires after 24 hours.
 
-If you have a use-case with the SDK to leverage the browser login as a feature but want to control if the browser is opened, or even to understand if the system already has a valid token present, you can pass in the option func of `WithoutBrowserLogin()` to your `NewHCPConfig()`. This will use either the provided `ClientID`:`ClientSecret` combo or a valid token that has been previously written to the system. If neither option exists, then `auth.ErrorNoLocalCredsFound` is returned to indicate that the user is not yet logged in.
+If you have a use-case with the SDK to leverage the browser login as a feature but want to control if the browser is opened you can pass in the option func of `WithoutBrowserLogin()` to your `NewHCPConfig()`.
 
 ### User Profile
 
@@ -66,7 +66,7 @@ HCP_ORGANIZATION_ID="22abc..."
     )
     ```
 
-See `cmd/hcp-sdk-go-client` for a complete example.
+See `cmd/example` for a complete example.
 
 ### SDK Release Cycle
 
@@ -96,9 +96,7 @@ In addition to the generated product clients, the HCP Go SDK provides a few libr
 
 ### Cache
 
-The Cache interface lives under the `auth` package. It handles writing the user credentials obtained during browser login to the common location `/.config/hcp/credentials.json` in the home directory. The Cache has `Read` and `Write` methods that can be used to get and set stored HCP credentials.
-
-Generally the contents of the Cache should be Read to get the latest, unexpired credentials. Without care, overwriting user credentials may cause unexpected authentication failures.
+The Cache interface lives under the `tokencache` package. It handles writing the user, service-principal and workload identity provider tokens to the common location `/.config/hcp/creds-cache.json` in the home directory. The cached values are automatically read and written when a caching token source is used.
 
 ## Contributing
 

diff --git a/auth/browser.go b/auth/browser.go
@@ -19,9 +19,22 @@ import (
 	"golang.org/x/oauth2"
 )
 
-// Browser implements the browser handler for the OAuth2 login flow.
-type Browser interface {
-	GetTokenFromBrowser(context.Context, *oauth2.Config) (*oauth2.Token, error)
+// browserLogin implements an oauth2.TokenSource for interactive browser logins.
+type browserLogin struct {
+	oauthConfig *oauth2.Config
+}
+
+// NewBrowserLogin will return an oauth2.TokenSource that will return a Token from an interactive browser login.
+func NewBrowserLogin(oauthConfig *oauth2.Config) *browserLogin {
+	return &browserLogin{
+		oauthConfig: oauthConfig,
+	}
+}
+
+// Token will return an oauth2.Token retrieved from an interactive browser login.
+func (b *browserLogin) Token() (*oauth2.Token, error) {
+	browser := &oauthBrowser{}
+	return browser.GetTokenFromBrowser(context.Background(), b.oauthConfig)
 }
 
 // oauthBrowser implements the Browser interface using the real OAuth2 login flow.
@@ -85,18 +98,6 @@ func (b *oauthBrowser) GetTokenFromBrowser(ctx context.Context, conf *oauth2.Con
 			return nil, fmt.Errorf("failed to exchange code for token: %w", err)
 		}
 
-		// Save the token to config file.
-		cache := Cache{
-			AccessToken:       tok.AccessToken,
-			RefreshToken:      tok.RefreshToken,
-			AccessTokenExpiry: tok.Expiry,
-			SessionExpiry:     time.Now().Add(SessionMaxAge),
-		}
-		err = Write(cache)
-		if err != nil {
-			return nil, fmt.Errorf("failed to write token to file: %w", err)
-		}
-
 		return tok, nil
 	case <-sigintCh:
 		return nil, errors.New("interrupted")

diff --git a/auth/cache.go b/auth/cache.go