dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard

Published 20 hours ago verified publisher icon gardener

OpenID Connect Improvements

Open holgerkoser opened this issue 2 years ago • 2 comments

What this PR does / why we need it:

Refresh Token

OpenID Connect defines the offline_access scope value to request a refresh_token in addition to the id_token which allows to use OIDC provider with short id_token lifetimes. With this PR we support the usage of scope offline_access. Typically the refresh_token is an opaque token and not a JWT with exp claim. But the refresh_token has a limited lifetime. If the refresh_token is used to refresh an id_token a new refresh_token is returned and the old refresh_token can not be used once again. Therefore the client must check if an id_token will expire soon and refresh the id_token if necessary. Since the process can be repeated again and again we recommend to configure and absolute sessionLifetime that stops the automatic refresh process and forces a logout if the the lifetime of a session exceeds this limit.

To enable this feature the operator has to configure the scope in the chart values:

oidc:
  scope: "openid email groups profile offline_access"
  sessionLifetime: 86400 # 1 day
Authorization Code Flow + PKCE

Currently all downloaded user kubeconfigs contain a client_secret. With this PR we support the PKCE flow for the OIDC client used by the dashboard itself as well for the public client used for the downloaded kubeconfig. In order to remove the client_secret from the downloaded kubeconfig the operator needs to force the usage the PKCE flow for the public client. The PKCE flow will be enabled by default if no clientSecret is given in the values.

oidc:
  ...
  public:
    clientId: 'my-public-client-id'
    # clientSecret: 'my-public-client-secret'

It is also possible to force PKCE flow for the client used by the dashboard but the client_secret is still required.

oidc:
  clientId: 'my-internal-client-id'
  clientSecret: 'my-internal-client-secret'
  usePKCE: true
Changes in socket.io connection handling

Since it is not possible to refresh the JWT for an open socket.io connection we close the underlying websocket connection from the server side once the JWT is expired. The client will automatically refresh the token and reconnect with the new JTW. The initial data fetch for a new or resynchronized subscription is done via HTTP.

Added Vue api plugin

Makes all api function available on Vue instances. The plugin intercepts all api requests and refreshes the JWT if necessary.

Added Vuex localstorage plugin

Synchronizes the browser localstorage with the corresponding Vuex module.

Added a Vue logger plugin

The logLevel of this logger can be modified by the localstorage property global/log-level.

Added a settings page

The settings page currently is only visible in developer mode. It can be enabled by setting the the localstorage property global/developer-mode to the value enabled. The logLevel can be changed on this page.

Which issue(s) this PR fixes: Fixes #976 #984

Special notes for your reviewer:

Release note:

Added support for OIDC refresh tokens. This allows an operator to configure short `id_token` lifetimes. 

Added support for PKCE flow to the internal and the public OIDC client. This allows an operator to configure the the public client without a `client_secret`.

holgerkoser avatar Sep 26 '22 09:09 holgerkoser

@grolu You have pull request review open invite, please check

gardener-robot avatar Sep 29 '22 03:09 gardener-robot

@holgerkoser You need rebase this pull request with latest master branch. Please check.

gardener-robot avatar Oct 14 '22 14:10 gardener-robot