release-20.2: auth: add autoLogin ability to OIDC configuration #56510
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For customers who enable OIDC-based login to the Admin UI, it's preferable to skip the username/password login prompt entirely and provide a seamless login experience to CRDB users. This change introduces a new boolean cluster setting called `server.oidc_authentication.autologin` When this flag is `true`, upon loading the login page in the Admin UI, the browser will automatically initiate the OIDC authentication process by redirecting to `/oidc/v1/login` instead of waiting for the user to login manually or click the OIDC login button. This setting causes no server-side change in the behavior of OIDC authentication functionality. In addition, in order to allow for usign password logins when OIDC auth might be unavailable or misconfigured, an override query param is available on the login page to ensure that the password login remains available for use. Navigating to `<node>:<admin_ui_port>/#/login?oidc_auto_login=false` will disable the automatic redirect allowing for the use of the password login. Along with the new setting, a few refactors were made: - OIDC-related components are in `oidc.tsx` for clarity - `displayPasswordLogin` flag which was added earlier in anticipation of this feature has been removed since we decided to create a flag to trigger autologin instead of worrying about hiding the password fields - `displayOIDCButton` has been renamed to `oidcLoginEnabled` on the client-side to match the server-side flag. Earlier it was renamed on the client side since it only controlled the visibility of the OIDC button. Now the redirect depends on that flag **and** autoLogin to be enabled. - Login with OIDC button is styled as "secondary" to differentiate from primary password login button This change is part of cockroachdb#54619 Release note (admin ui change): added new cluster setting called `server.oidc_authentication.autologin` which enables automatic redirect to the OIDC login flow instead of showing password login prompt. A query param can force disable this feature in the browser by appending `?oidc_auto_login=false` to the login path.
|
This change is |
bdarnell
approved these changes
Nov 10, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #55552.
/cc @cockroachdb/release
For customers who enable OIDC-based login to the Admin UI,
it's preferable to skip the username/password login prompt
entirely and provide a seamless login experience to CRDB users.
This change introduces a new boolean cluster setting called
server.oidc_authentication.autologinWhen this flag is
true, upon loading the login page in theAdmin UI, the browser will automatically initiate the OIDC
authentication process by redirecting to
/oidc/v1/logininstead of waiting for the user to login manually or click the
OIDC login button.
This setting causes no server-side change in the behavior of
OIDC authentication functionality.
Along with the new setting, a few refactors were made:
oidc.tsxfor claritydisplayPasswordLoginflag which was added earlier inanticipation of this feature has been removed since we
decided to create a flag to trigger autologin instead of
worrying about hiding the password fields
displayOIDCButtonhas been renamed tooidcLoginEnabledon the client-side to match the server-side flag. Earlier it
was renamed on the client side since it only controlled the
visibility of the OIDC button. Now the redirect depends on that
flag and autoLogin to be enabled.
This change is part of #54619
Release note (admin ui change): added new cluster setting
called
server.oidc_authentication.autologinwhich enablesautomatic redirect to the OIDC login flow instead of showing
password login prompt.