Disable login screen when authenticating with an external reverse proxy #6881
Labels
awaiting-more-evidence
Need more info to actually get it done.
kind/proposal
An issue that reports a new feature proposal to be discussed
stale
Automatic label to stale issues due inactivity to be closed if no further action
Milestone
Summary
provide a flag that bypasses login when a token is present in the
Authorization
headerBackground and rationale
I've integrated KubeApps with OpenUnison's reverse proxy, which injects a token that is accepted by the API server, instead of the bundled oauth2-proxy. I didn't integrate via the oauth2 proxy because it doesn't handle very short lived tokens (1 min) well and so each page was refreshing the authentication back to OpenUnison's identity provider. Integrating this way lets me inject a short lived (1 min) token that the API server will recognize without having to get a new token via OIDC every minute and without having to deal with refresh tokens.
While the setup with OpenUnison works, I'm presented with a login screen asking for a token. providing any value bypasses this screen without issue. (this isn't a security issue, because the token thats injected into the header is used). Setting
authProxy.skipKubeappsLoginPage
totrue
has no impact (probably becauseauthPRoxy.enabled
isfalse
This request is similar to how the Kubernetes Dashboard and Kiali both work with external proxies.
Description
Add a helm chart option similar to
frontend.skipLogin
or just detect that there's a token and skip the login page.Acceptance criteria
If
frontend.skipLoginPage
istrue
, trust theAuthorization
header and do not present a login screen.Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: