Change default oidc-login port 8000 to avoid browser cache conflict

int128 / kubelogin

kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)

Apache License 2.0

1.66k stars 191 forks source link

Change default oidc-login port 8000 to avoid browser cache conflict #1113

Open robinovitch61 opened 1 month ago

robinovitch61 commented 1 month ago

Describe the issue

kubectl oidc-login get-token -h | grep listen-address
      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])

Since default is 127.0.0.1:8000, this could (and did for me) collide with my browser's cache. I had recently run this command:

docker run --platform linux/amd64 --publish 8000:8080 ghcr.io/mermaid-js/mermaid-live-editor

and my browser cached the mermaid editor rather than hitting the webserver for login. I'd request the default be changed to something other than 8000 to avoid future occurrences for others.

To reproduce

run kubectl oidc-login get-token --force-refresh --oidc-issuer-url=...
have browser open, but http://localhost:8000 is cached as something else, so oidc web server never hit and console hangs

Your environment

OS: macOS
kubelogin version: e.g.v1.28.0
kubectl version: e.g. v1.29.5

porty commented 2 weeks ago

There might be a different issue at play - binding to / listening on 127.0.0.1:8000 can succeed even if something else has taken :8000 (i.e. a wildcard IP, which includes IPv6) - this is totally fine, but there is inconsistency with the bind IP of 127.0.0.1 and opening the browser to localhost which can be a different IP address (possibly depending on OS or ordering in /etc/hosts) - a fix would be to open a browser on 127.0.0.1:$PORT instead of localhost:$PORT.

I worked around the issue by changing localhost:8000 in my browser (which was some other Docker-based app) to 127.0.0.1:8000 (and again after the redirect back)