search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
2.42k stars 170 forks source link

OIDC token times out too quickly on web client #2358

Open sarg3nt opened 2 months ago

sarg3nt commented 2 months ago

We have Headlamp working with OIDC and Azure but are running into the issue of the token expiring far too quickly. My Azure team tells me this is usually a setting in the app initiating the request.

I also found closed ticket https://github.com/headlamp-k8s/headlamp/issues/209 where @joaquimrocha talks a little about this.

if you have access with your token throughout the navigation in Headlamp but the problem is apparently a timeout when using the token, maybe increasing the tokens' lifespan will help. In KeyCloak this is done in the settings of the client you are using, under "Advanced Settings > Access Token Lifespan".

But I do not know what he means by "the client" Maybe the windows version of Headlamp?

Is there a way to set this in the Helm chart?

joaquimrocha commented 2 months ago

I think that comment was about KeyCloak. If you are using Azure, I think something different needs to be done. Adding @ashu8912 and @yolossn should they know more here.

sarg3nt commented 1 month ago

Hi all, any update on this?

sarg3nt commented 2 weeks ago

@ashu8912, @yolossn and @joaquimrocha any update on this. Is this something we need to investigate in our Azure setup or is this an issue in Headlamp?

yolossn commented 2 weeks ago

@sarg3nt sorry for the late response. May I know if you are using Azure AKS OIDC setup working with Entra ID or AAD?

sarg3nt commented 2 days ago

@yolossn Sorry for the late reply. Not sure, here's the config.

values.yaml

config:
  oidc:
    secret:
      create: false
    externalSecret:
      enabled: true
      name: "oidc"

oidc_secrets.tf

resource "kubernetes_secret" "headlamp_oidc_secret" {
  metadata {
    name      = "oidc"
    namespace = kubernetes_namespace.headlamp.metadata.0.name
  }

  data = {
    OIDC_CLIENT_ID     = var.azure_oidc.client_id
    OIDC_CLIENT_SECRET = var.azure_oidc_client_secret
    OIDC_ISSUER_URL    = var.azure_oidc_issuer_url
    OIDC_SCOPES        = "email profile"
    HTTP_PROXY         = var.proxy
    HTTPS_PROXY        = var.proxy
    http_proxy         = var.proxy
    https_proxy        = var.proxy
    NO_PROXY           = var.proxy_no
    no_proxy           = var.proxy_no
  }

  type = "Opaque"
}

I found this. https://learn.microsoft.com/en-us/answers/questions/843346/how-to-change-token-expiration-time-in-azure-porta

You have to request a refresh token together with id/access token. With the refresh token you can then request another id/access token when those will expire. The refresh token has a much longer life. More info at: https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens