OIDC authentication is not handled gracefully in headlamp

[O5ten]

I'm having trouble connecting to a cluster that has oidc configured as authentication method. Competing products (openlens) is opening a browser window to (re)authenticate to the cluster when needed. headlamp is just asking me for a service account token.

This is a sample of my .kube/config

- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://login.microsoftonline.com/<tenant>/v2.0
      - --oidc-client-id=<some-client-id>
      - --oidc-client-secret=<some-client-secret>
      command: kubectl
      interactiveMode: IfAvailable
      provideClusterInfo: false

[joaquimrocha]

Thank you @O5ten . We will look into this as we do want to support this use-case.

[mviswanathsai]

Hmm... so it seems to me like we need to lookout for OIDC configuration in the Kubeconfig file. If it is indeed present, we would need to adopt a different logical flow. Here is what I see:

1. Allow the user to authenticate using OIDC, with a browser window/popup.
2. Get a hold of the authentication token (JWT) from the provider and make use of it in the backend communication with the API server.
3. If the token expires, handle that logic as well: re-authenticate and repeat.

But I see many areas where we need deeper discussions. Maybe a design proposal is in order? @joaquimrocha

[O5ten]

For what it's worth on the competition analysis side. The fact that the browser opens every once in awhile as lens refreshes its token is among the most annoying things with it. If i keep it on it has opened multiple windows for me during demos and other situations. If there is a way to perform this in the background then that would be absolutely magical.

It's even worse when you have multiple clusters to worry about.

[mviswanathsai]

Not entirely sure about the security side of things. But technically, we should be able to store the OIDC credentials and handle the authentication behind the scenes.
But again, not sure what that entails.

[mviswanathsai]

Just to clarify, are you using Headlamp from outside the cluster? asking because it does seem like there is some documentation of the expected behavior for in-cluster setups: https://headlamp.dev/docs/latest/installation/in-cluster/oidc/

[O5ten]

I'm trying to use headlamp as a desktop app. Haven't attempted to use it in-cluster yet as we have many clusters.

[knrt10]

@O5ten can you please confirm which version of Headlamp are you using? We do have this issue fixed in the latest version. Can you also confirm you are using signin option as your authentication method? Thanks

[HValG]

Hello, I face the same issue.

I am using desktop app version 0.28.1.

I have multiple clusters, some using oidc others not. When I launch the app I have a browser page to authent me (keycloak) but once I want to connect to the cluster I get this popup:

Authentication on kubeconfig is working well on other tools so not the issue :)