dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon kubernetes

[FEATURE] URL to test if bearer token is valid

Open jcpunk opened this issue 5 months ago • 3 comments

What would you like to be added?

A url endpoint for the dashboard that will return a 401 if the provided header Authorization: Bearer ${token} does not permit login to the kubernetes API.

Why is this needed?

I'm playing around with building a read-only proxy into the kubernetes dashboard similar to the old read-only access. Using the TokenRequest API I'm able to generate short lived tokens that will rotate regularly. The trick is notifying the webserver that the token it loaded in at start is no longer valid.

If there was an endpoint I could test the token against, I could setup a livenessProbe to check if my token has expired and automatically kick the application.

The url api/v1/me seems to always return 404 via curl:

curl -k -I -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6I<snip>2bv5bcNHw"   'https://localhost:8443/api/v1/me'

jcpunk avatar Jul 23 '25 16:07 jcpunk

Hi @jcpunk the reason it returns 404, that you asked for the HEAD only (-I)

Remove the -I, it'll return the proper 401. How about taking the http_code response only, it'll be clearer

invalid token returns 401

curl -s -k -o /dev/null -w "%{http_code}" -H 'Authorization: Bearer XXXX'  'https://localhost:8443/api/v1/me'
401

valid token returns 200

curl -s -k -o /dev/null -w "%{http_code}" -H 'Authorization: Bearer eyJhbxxxx'  'https://localhost:8443/api/v1/me'
200

but be careful, because it'll return 000 for any error on curl for example wrong URL, DOMAIN or PORT

curl -s -k -o /dev/null -w "%{http_code}" -H 'Authorization: Bearer eyJhbxxxx'  'https://localhost:84X3/api/v1/me'
000

curl -s -k -o /dev/null -w "%{http_code}" -H 'Authorization: Bearer eyJhbxxxx'  'https://localhostxxxxx:8443/api/v1/me'
000

sentabi avatar Aug 03 '25 06:08 sentabi

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 01 '25 06:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 01 '25 07:12 k8s-triage-robot