For customers who enable OIDC-based login to the Admin UI,
it's preferable to skip the username/password login prompt
entirely and provide a seamless login experience to CRDB users.
This change introduces a new boolean cluster setting called
`server.oidc_authentication.autologin`
When this flag is `true`, upon loading the login page in the
Admin UI, the browser will automatically initiate the OIDC
authentication process by redirecting to `/oidc/v1/login`
instead of waiting for the user to login manually or click the
OIDC login button.
This setting causes no server-side change in the behavior of
OIDC authentication functionality.
In addition, in order to allow for usign password logins
when OIDC auth might be unavailable or misconfigured, an
override query param is available on the login page to ensure
that the password login remains available for use. Navigating
to `<node>:<admin_ui_port>/#/login?oidc_auto_login=false`
will disable the automatic redirect allowing for the use
of the password login.
Along with the new setting, a few refactors were made:
- OIDC-related components are in `oidc.tsx` for clarity
- `displayPasswordLogin` flag which was added earlier in
anticipation of this feature has been removed since we
decided to create a flag to trigger autologin instead of
worrying about hiding the password fields
- `displayOIDCButton` has been renamed to `oidcLoginEnabled`
on the client-side to match the server-side flag. Earlier it
was renamed on the client side since it only controlled the
visibility of the OIDC button. Now the redirect depends on that
flag **and** autoLogin to be enabled.
- Login with OIDC button is styled as "secondary" to
differentiate from primary password login button
This change is part of cockroachdb#54619
Release note (admin ui change): added new cluster setting
called `server.oidc_authentication.autologin` which enables
automatic redirect to the OIDC login flow instead of showing
password login prompt. A query param can force disable this
feature in the browser by appending `?oidc_auto_login=false`
to the login path.