Skip to content

WIP Migrate KKP dashboard auth from implicit flow to OAuth authorization code flow#7960

Open
ahmadhamzh wants to merge 6 commits intokubermatic:mainfrom
ahmadhamzh:7940-oauth-authorization-code-flow-migration
Open

WIP Migrate KKP dashboard auth from implicit flow to OAuth authorization code flow#7960
ahmadhamzh wants to merge 6 commits intokubermatic:mainfrom
ahmadhamzh:7940-oauth-authorization-code-flow-migration

Conversation

@ahmadhamzh
Copy link
Copy Markdown
Contributor

@ahmadhamzh ahmadhamzh commented Mar 30, 2026

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #7940

What type of PR is this?
/kind design

Special notes for your reviewer:

Does this PR introduce a user-facing change? Then add your Release Note here:

Documentation:

@kubermatic-bot
Copy link
Copy Markdown
Contributor

kubermatic-bot commented Mar 30, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubermatic-bot kubermatic-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/design Categorizes issue or PR as related to design. labels Mar 30, 2026
@kubermatic-bot
Copy link
Copy Markdown
Contributor

kubermatic-bot commented Mar 30, 2026

@ahmadhamzh: Adding the "do-not-merge/docs-needed" label because no documentation block was detected, please follow our documentation process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kubermatic-bot kubermatic-bot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. sig/api Denotes a PR or issue as being assigned to SIG API. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. do-not-merge/docs-needed Indicates that a PR should not merge because it's missing one of the documentation labels. labels Mar 30, 2026
@kubermatic-bot
Copy link
Copy Markdown
Contributor

kubermatic-bot commented Mar 30, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ahmadhamzh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ahmadhamzh ahmadhamzh added the sig/ui Denotes a PR or issue as being assigned to SIG UI. label Mar 30, 2026
@kubermatic-bot kubermatic-bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 30, 2026
ahmadhamzh
ahmadhamzh commented Mar 30, 2026
View reviewed changes
modules/api/hack/run-api.sh
-address=127.0.0.1:8080 \
-oidc-url=https://dev.kubermatic.io/dex \
-oidc-authenticator-client-id=kubermatic \
-oidc-authenticator-client-id=kubermaticIssuer \
Copy link
Copy Markdown
Contributor Author

@ahmadhamzh ahmadhamzh Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed -oidc-authenticator-client-id from kubermatic to kubermaticIssuer
because the new auth code flow issues tokens using the issuer client (kubermaticIssuer).
The token verifier must use the same client ID to accept these tokens (audience claim must match).
The old kubermatic public client was only needed for the implicit flow which is being removed.

@ahmadhamzh ahmadhamzh force-pushed the 7940-oauth-authorization-code-flow-migration branch from 4b397b3 to 7ab549f Compare March 31, 2026 14:59
@kubermatic-bot kubermatic-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Mar 31, 2026
@kubermatic-bot
Copy link
Copy Markdown
Contributor

kubermatic-bot commented Mar 31, 2026

@ahmadhamzh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pre-dashboard-api-lint 888a105 link true /test pre-dashboard-api-lint
pre-dashboard-web-integration-tests-ce 888a105 link true /test pre-dashboard-web-integration-tests-ce
pre-dashboard-web-integration-tests 888a105 link true /test pre-dashboard-web-integration-tests
pre-dashboard-web-unit 888a105 link true /test pre-dashboard-web-unit

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. do-not-merge/docs-needed Indicates that a PR should not merge because it's missing one of the documentation labels. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/design Categorizes issue or PR as related to design. sig/api Denotes a PR or issue as being assigned to SIG API. sig/ui Denotes a PR or issue as being assigned to SIG UI. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth Authorization Code Flow Migration

2 participants

@ahmadhamzh @kubermatic-bot