release-20.2: auth: add autoLogin ability to OIDC configuration #56510
Commits on Nov 10, 2020
-
auth: add autoLogin ability to OIDC configuration
For customers who enable OIDC-based login to the Admin UI, it's preferable to skip the username/password login prompt entirely and provide a seamless login experience to CRDB users. This change introduces a new boolean cluster setting called `server.oidc_authentication.autologin` When this flag is `true`, upon loading the login page in the Admin UI, the browser will automatically initiate the OIDC authentication process by redirecting to `/oidc/v1/login` instead of waiting for the user to login manually or click the OIDC login button. This setting causes no server-side change in the behavior of OIDC authentication functionality. In addition, in order to allow for usign password logins when OIDC auth might be unavailable or misconfigured, an override query param is available on the login page to ensure that the password login remains available for use. Navigating to `<node>:<admin_ui_port>/#/login?oidc_auto_login=false` will disable the automatic redirect allowing for the use of the password login. Along with the new setting, a few refactors were made: - OIDC-related components are in `oidc.tsx` for clarity - `displayPasswordLogin` flag which was added earlier in anticipation of this feature has been removed since we decided to create a flag to trigger autologin instead of worrying about hiding the password fields - `displayOIDCButton` has been renamed to `oidcLoginEnabled` on the client-side to match the server-side flag. Earlier it was renamed on the client side since it only controlled the visibility of the OIDC button. Now the redirect depends on that flag **and** autoLogin to be enabled. - Login with OIDC button is styled as "secondary" to differentiate from primary password login button This change is part of cockroachdb#54619 Release note (admin ui change): added new cluster setting called `server.oidc_authentication.autologin` which enables automatic redirect to the OIDC login flow instead of showing password login prompt. A query param can force disable this feature in the browser by appending `?oidc_auto_login=false` to the login path.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.