Support newly added kubelogin cli flag `--oidc-use-access-token`

[v0lkc]

Description

Busola currently does not support the newly added --oidc-use-access-token flag in the kubelogin utility. This flag is essential for enabling authentication using the access_token instead of the id_token. Implementing support for this flag in Busola would allow users to authenticate with XSUAA (SAP BTP) and leverage BTP roles provided in the access token's scope attribute for granting permissions.

Reasons

• allows authorization of users based on roles in SAP BTP

Attachments

• https://github.com/int128/kubelogin/pull/1084
• Example of kubeconfig configuration using the new flag:

  
  apiVersion: v1
  kind: Config
  clusters:

• cluster: server: https:// certificate-authority-data: name: contexts:
• context: cluster: user: name: current-context: users:
• name: user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: kubelogin args:
• get-token
• --oidc-issuer-url=https://issuer.example.com
• --oidc-client-id=
• --oidc-client-secret=
• --oidc-use-access-token

[v0lkc]

Busola evaluates the kubelogin arguments at the following location:

https://github.com/kyma-project/busola/blob/773233faf6e0a7a2139c8ce0cab45ce2a5f04fb0/src/components/Clusters/components/oidc-params.ts#L3-L48

To support the --oidc-use-access-token argument, you'll need to add it to the OIDC_PARAM_NAMES map. This update is necessary so that the login logic can determine whether to forward the id_token or the access_token. Three locations require changes for this update:

https://github.com/kyma-project/busola/blob/773233faf6e0a7a2139c8ce0cab45ce2a5f04fb0/src/state/authDataAtom.ts#L69

https://github.com/kyma-project/busola/blob/773233faf6e0a7a2139c8ce0cab45ce2a5f04fb0/src/state/authDataAtom.ts#L87

https://github.com/kyma-project/busola/blob/773233faf6e0a7a2139c8ce0cab45ce2a5f04fb0/src/state/authDataAtom.ts#L101