-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dashboard login fails on Chrome/Firefox #5142
Comments
@floreks: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@OnAzureCloud9 are you using the |
@SayakMukhopadhyay: No, I'm retrieving an access token with |
@SayakMukhopadhyay I thought you were referring to the size of the Azure token used to sign into the dashboard. I see now that you are referring to size of the jweToken cookie. From my successful login attempts using Edge I can see that the jweToken cookie appears after successful login. However, I don't see this cookie ever appear when I get stuck on the login screen on Chrome/Firefox in browser debugging tools so I'm not sure this is applicable. I also do not see any cookie related error output in the console such as in the post you linked. |
@SayakMukhopadhyay Interestingly enough I think you might be on the right track. I was using Chrome as my main browser and didn't receive any console output regarding the jweToken cookie being too large. However, since I was also having issues with Firefox I decided to get that a shot. I can in fact see a warning in the console on Firefox (but not Chrome): I'll follow up on your linked issues to see if there's any kind of resolution. I'm not sure why this error isn't appearing on Chrome but I'm assuming it's probably the same issue. Not sure why Edge accepts this yet. |
I must say that the browser behaviour is very unreliable around this. I have used Chrome, Firefox and Edge (all latest as of this post) and none of them accepts my 2k long |
@SayakMukhopadhyay I noticed that on the "new" Edge browser it didn't work. Left is old Edge browser logo and right is new Edge browser: You can see my Edge version in original post (44.18362.449.0) on the old Edge browser where login succeeds. On Microsoft's new Edge browser (Version 81.0.416.77 (Official build) (64-bit)) I am also unable to login, but on the old Edge browser login succeeds. Maybe there's some difference in the cookie size limitation on the old Edge browser? Side note: I only see the cookie size warning in debug console on Firefox. I'm unsure why this is not displaying on Chrome/Edge but I'm hoping this doesn't mean that there's another underlying issue on those browsers. It's odd that the warning isn't displayed on Chrome/Edge. |
Max cookie size depends on the browser implementation, however, most browsers will accept a cookie only up to ~4096 bytes. As headers do not share this restriction, it's better to switch to a reverse proxy setup (in this case) and inject the token into authorization header. |
Could be, I have tested on the chromium based edge itself as I no longer have the old edge. I don't really know of a workaround other than using a oauth proxy in the cluster, something that I am yet to try as that would need dashboard to be accessible from the internet. I don't know enough about the security of a dashboard connected to the internet and protected by a oauth proxy. |
Proxy does not mean that you need to expose Dashboard. You can also setup some reverse proxy in your local cluster and expose it only inside the local network. Everything depends on your configuration and what you need. |
@SayakMukhopadhyay try out a new release once travis pushes the images. |
@floreks thanks, keeping a lookout for the release. |
@OnAzureCloud9 it won't help with the cookie size issue but should fix a couple of other issues. |
I have tested and its working perfectly. I have commented in the original issue with some details
By "local cluster" if you mean setting up a reverse proxy at the kubectl level using a plugin, then yeah, I have also considered it. I am pretty much weighing between allowing access to the dashboard only via |
The best option is to configure oauth reverse proxy with some IdP plugin that will first force you to log in using i.e. Google/Github and then K8S API will return user-specific token directly to your proxy. Proxy then takes it and appends it to authorization header before forwarding request to Dashboard. This way even if someone somehow manages to bypass proxy and access Dashboard without logging in, there will be nothing to see as Dashboard itself does not have basically any privileges. Remember to also expose your ingress over HTTPS only. Dashboard then does not need custom certificates. It can be exposed only inside the cluster. |
@floreks, how do you think about splitting the jwe and saving them into multiple cookies when it exceeds 4k? |
I'd first try some kind of string compression to reduce cookie size. It should save us about 25% space. |
Hi @floreks. Do you plan to implement this string compression in one of the upcoming Dashboard releases? If so, then where can we follow the status? Thanks! |
We are focused now on defining the architecture for the new API. Not sure when I'll have time to look into this. |
Great, thanks for your answer. Nice to see that it will be addressed. |
Environment
Steps to reproduce
Deploy v1.16.7 AKS cluster. By default dashboard version v2.0.0-beta8 is deployed with this cluster via AddOnManager. Try to access dashboard via
kubectl proxy
oraz aks browse
. When clicking the login button on Chrome/Firefox after entering a valid user token nothing occurs and you are left at the login page.Observed result
After upgrading our AKS cluster to v1.16.7 this updated the dashboard version. Users were no longer able to login via Chrome/Firefox. This is due to the new login page which required config/token input to authenticate. After entering a valid token and clicking on the login button nothing occurs. When looking in browser debugging tools, 200 status codes can be seen after clicking the login button. No error messages are returned whereas if I try an intentionally invalid token I receive an error message. However, when I try the login process on Edge with the valid token the login works as expected and the dashboard loads!
Expected result
Expect to be able to login to dashboard on Chrome/Firefox/Edge.
Comments
The text was updated successfully, but these errors were encountered: