Login improvements

[floreks]

Tracking issue for further non-critical login improvements.

• Allow overriding key holder name/namespace with arguments passed to dashboard. This will allow multiple dashboard deployments to use different encryption keys.
• Token blacklisting feature
  In case user logs out his token should be invalidated. We should blacklist it until it expires.
• Key rotation feature
• Consider generating self-signed certificates signed by apiserver CA. This would allow to keep HTTPS enabled by default.
• Support for external identity providers (i.e. Github OAuth, OIDC). Dashboard features for non-admin developers: Integrate dashboard login with GitHub oauth #2621, OIDC without a proxy #2630
• Improve error handling and localize all errors.
• [tracking] Security, auth and logging in #964 (comment)
• Allow logging in when a very long token is provided (i.e. Azure with groups, etc.)

[cohadar]

It would be nice when I login with kubeconfig file to automatically show me the namespace from kubeconfig file instead of just showing default namespace by default.

[pdf]

Is there a ticket on the core side that tracks implementation of the API features/endpoints required for OIDC to work sensibly in dashboard?

[floreks]

I haven't been following core roadmap lately, so I don't know. We'll try to revisit it after angular migration.

[colemickens]

What's the latest on this? I'm interested in having OIDC auth information published in the kube-public namespace for interested clients to discover, for other reasons, in addition to possibly having the dashboard auth scenario be much simpler.

[yhaskell]

It would be also awesome if, when you go to some url (for example, dashboard/#!/log/namespace/pod), and it required sign, it wouldn't forget your url and send you to the page you wanted, and not to overview of default namespace.

[jurgenweber]

It would be absolutely fantastic if we could get some traction on this.

[erandu]

Also interested by the feature that @cohadar suggested :

It would be nice when I login with kubeconfig file to automatically show me the namespace from kubeconfig file instead of just showing default namespace by default.

Any news/info about this ?
Thanks

[nandonespolo]

Is there any integration on access to the dashboard and AWS IAM?

Many thanks.

[sshishov]

Still waiting for this...

[maciaszczykm]

@sshishov You can wait or you can contribute. We are not able to do everything instantly with just a few people.

[andloh]

Any news regarding oidc support? :)

[barnybadzoo]

I know this things take a long time.. any news about it ?

[floreks]

The main issue is that we don't have anyone willing to work on that right now. Our main focus goes to designing and creating a new standalone gRPC API for Dashboard.

[buji-code]

What's the status on OIDC support?

[akhil117]

Allow logging in when a very long token is provided (i.e. Azure with groups, etc.)

What's the status on Allow logging in when a very long token is provided @floreks ?

[juanchovelezpro]

@akhil117 If your organization has a large number of groups, probably you would need to allow only the groups you want to allow in your Cluster to avoid a huge authorization header that will be passed to the Kubernetes Dashboard. To do this you will need to select the groups in Azure AD Enterprise Applications → Search your application → Users and groups, and select the groups you want to authenticate in your cluster