release-20.2: auth: add autoLogin ability to OIDC configuration #56510
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #55552.
/cc @cockroachdb/release
For customers who enable OIDC-based login to the Admin UI,
it's preferable to skip the username/password login prompt
entirely and provide a seamless login experience to CRDB users.
This change introduces a new boolean cluster setting called
server.oidc_authentication.autologin
When this flag is
true
, upon loading the login page in theAdmin UI, the browser will automatically initiate the OIDC
authentication process by redirecting to
/oidc/v1/login
instead of waiting for the user to login manually or click the
OIDC login button.
This setting causes no server-side change in the behavior of
OIDC authentication functionality.
Along with the new setting, a few refactors were made:
oidc.tsx
for claritydisplayPasswordLogin
flag which was added earlier inanticipation of this feature has been removed since we
decided to create a flag to trigger autologin instead of
worrying about hiding the password fields
displayOIDCButton
has been renamed tooidcLoginEnabled
on the client-side to match the server-side flag. Earlier it
was renamed on the client side since it only controlled the
visibility of the OIDC button. Now the redirect depends on that
flag and autoLogin to be enabled.
This change is part of #54619
Release note (admin ui change): added new cluster setting
called
server.oidc_authentication.autologin
which enablesautomatic redirect to the OIDC login flow instead of showing
password login prompt.