search

kyma-project / busola

Web based Kubernetes Dashboard with a focus on privacy that requires no active components or special privileges in your cluster.
Apache License 2.0
24 stars 48 forks source link

Login error when one or more `--oidc-extra-scope` args are present in the kubeconfig #3288

Closed v0lkc closed 2 weeks ago

v0lkc commented 3 weeks ago

Description

When a kubeconfig file contains one or more --oidc-extra-scope parameters, Busola stops sending the "openid" scope, resulting in a login error. The error message returned is: Login error: ErrorResponse: Invalid token does not contain resource id (openid). The "openid" scope is expected to always be sent, regardless of any additional scopes provided.

Expected result

No error

Actual result

image

Steps to reproduce

apiVersion: v1
clusters:
   ...
users:
- name: xsuaa
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://...
      - --oidc-client-id=some-id
      - --oidc-client-secret=a-secret
      - --oidc-extra-scope=first-scope
      - --oidc-extra-scope=second-scope
      command: kubectl

Troubleshooting