search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
2.03k stars 150 forks source link

oidc login with existing kubeconfig that works with kubectl and openlens does not work with headlamp desktop application #1656

Open AndrewSav opened 7 months ago

AndrewSav commented 7 months ago

This is a fragment of my kubeconfig (redacted) that works perfectly with kubectl and open lens

apiVersion: v1
clusters:
    - cluster:
        certificate-authority-data: LS0t...
        server: https://stagnig:6443
      name: staging
contexts:
    - context:
        cluster: staging
        namespace: user-asavinykh
        user: asavinykh@domain.tld
      name: staging
current-context: staging
kind: Config
preferences: {}
users:
    - name: asavinykh@domain.tld
      user:
        auth-provider:
            config:
                client-id: redacted.apps.googleusercontent.com
                client-secret: redacted
                id-token: eyJ...
                idp-issuer-url: https://accounts.google.com
                refresh-token: redacted
            name: oidc

However it does not let me log in with the headlamp desktop app.

yolossn commented 7 months ago

Hey @AndrewSav When you say it doesn't let me log in is it not showing the Sign In page or It doesn't work after completing the signin flow.

AndrewSav commented 7 months ago

@yolossn it does show the sign in page, but it should not since the kubeconfig is already in the usable state there is no need for the signin UI flow, it should just work. Neither OpenLens nor kubectl require any visible signin flow with this config.

The sign-in page does not work, either but I'm not surprised about this because it could not possibly know how to login to my cluster, so I'm not concerned about it.

image image Related developer documentation

rbcb-bedag commented 1 month ago

Hey also similar issue on my side:

We are authenticating via OpenUnison: https://openunison.github.io/ I can either copy a command from their dashboard and it then generates the whole kubeconfig or via their CLI. The kubeconfig then looks like this:

- name: my-username
  user:
    auth-provider:
      config:
        client-id: kubernetes
        client-secret: ""  #this is empty
        id-token: eyJh...
        idp-certificate-authority-data: ""
        idp-issuer-url: OUR-DOMAIN-URL/auth/idp/k8sIdp
        refresh-token: q1b....
      name: oidc

When i manually create/refresh the kubeconfig, it works via openlens. But with headlamp when i then press "Sing In" it opens following URL : http://localhost:4466/oidc-callback?error=unauthorized_client and says invalid request state is empty

I don't see from where this URL is getting picked up or how i could adjust it to my idp-issuer-url value from the kubeconfig.

Or could we even just skip this check, because we can outside of headlamp create/refresh the token manually ? That worked would work fine for me now as it's also the state with openlens