Allow Gardener operators to remove the token based authentication as an option for the Gardener Dashboard

[donistz]

What would you like to be added: Allow Gardener operators to remove the token based authentication as an option for the Gardener Dashboard when they want only OIDC to be used. Why is this needed: When 2FA is configured on the trusted identity provider for the human users access it is not good to give to these users also an easy workaround to login in the dashboard using a technical user credentials without 2FA.

[grolu]

Why should we deactivate this? If a token is valid for an apiserver why would we not allow to use it to logon to the Dashboard? 2FA ensures that users don't leak their passwords, tokens have a certain lifetime anyway.

[donistz]

Why should we deactivate this? If a token is valid for an apiserver why would we not allow to use it to logon to the Dashboard? 2FA ensures that users don't leak their passwords, tokens have a certain lifetime anyway.

The reason is because of the technical user tokens. Gardener dashboard doesn't differentiate between human user tokens and technical user tokens. This way a human user can generate a technical user token and use it to authenticate to the Dashboard app that is a browser based app dedicated explicitly for human users. Maybe the most precise requirement could be Gardener dashboard to not allow token based authentication when Garden cluster API server has an OIDC trust provider configuration.

[rfranzke]

With https://github.com/gardener/gardener/pull/9583, it will be possible to disable token-based login by setting .spec.virtualCluster.gardener.gardenerDashboard.enableTokenLogin=false in the Garden resource.

@gardener/dashboard-maintainers Not sure whether you also want to support this in the Helm chart, or whether you want to close this issue.

[petersutter]

/close - reopen if the chart should also be updated