New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate and remove "implicit" oauth flow #4705
Comments
Perhaps, we should first deprecate it with a warning in the login form. And some time later, remove it. |
That sounds like a good plan. We could even put the implicit flow behind a feature flag that is disabled by default after giving a warning on the login form. Either way, would be good to wait X versions before completely removing since some folks won't upgrade sequentially but jump to the latest version from their current version. |
This might also break the molecule tests. So just a reminder that we should ensure we still have those molecule tests that ensure we at least test the basics of our auth (we have openshift, openid, token, and header login tests) |
This should be deprecated as of v1.60, we need to update the release notes at this time. Then we should deprecate as soon as we've given folks enough time to respond to the deprecation. |
Oops. I'll re-open. I mistakenly wrote "Fixes" in a comment in one of the related PRs. |
Kiali currently supports both "implicit" and "authorization code" oauth flows. There are security benefits to using the authorization code flow vs. the implicit flow. In addition, moving to the auth code flow would allow Kiali to take advantage of the widely used go-oidc lib.
Pros:
Cons:
The text was updated successfully, but these errors were encountered: