feat(auth): make token header and prefix configurable via flags and env

ederign · ederign · commit 4ab1ba2d1514 · 2025-04-16T09:59:02.000-04:00
- Introduced `AuthTokenHeader` and `AuthTokenPrefix` fields to EnvConfig
- Default token extraction uses `Authorization` header with `Bearer ` prefix
- Updated TokenClientFactory to dynamically parse token using configured header and prefix
- Added new CLI flags: `--auth-token-header` and `--auth-token-prefix`
- Updated Makefile to support overriding header and prefix via `AUTH_TOKEN_HEADER` and `AUTH_TOKEN_PREFIX`
- Improved error messages and testability of token parsing logic
- Added Ginkgo unit tests for TokenClientFactory.ExtractRequestIdentity with and without prefixes
- Cleaned up README:
  - Replaced all `X-Forwarded-Access-Token` references with `Authorization: Bearer`
  - Documented how to override token header and prefix via CLI, env, or Makefile

Signed-off-by: Eder Ignatowicz &lt;ignatowicz@gmail.com&gt;
diff --git a/clients/ui/bff/Makefile b/clients/ui/bff/Makefile
@@ -5,6 +5,8 @@ DEV_MODE ?= false
 DEV_MODE_PORT ?= 8080
 STANDALONE_MODE ?= true
 AUTH_METHOD ?= internal
+AUTH_TOKEN_HEADER ?= Authorization
+AUTH_TOKEN_PREFIX ?= Bearer\
 #frontend static assets root directory
 STATIC_ASSETS_DIR ?= ./static
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
@@ -51,7 +53,7 @@ build: fmt vet test ## Builds the project to produce a binary executable.
 .PHONY: run
 run: fmt vet envtest ## Runs the project.
 	ENVTEST_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \
-	go run ./cmd --port=$(PORT) --auth-method=${AUTH_METHOD} --static-assets-dir=$(STATIC_ASSETS_DIR) --mock-k8s-client=$(MOCK_K8S_CLIENT) --mock-mr-client=$(MOCK_MR_CLIENT) --dev-mode=$(DEV_MODE) --dev-mode-port=$(DEV_MODE_PORT)  --standalone-mode=$(STANDALONE_MODE) --log-level=$(LOG_LEVEL) --allowed-origins=$(ALLOWED_ORIGINS)
+	go run ./cmd --port=$(PORT) --auth-method=${AUTH_METHOD} --auth-token-header=$(AUTH_TOKEN_HEADER) --auth-token-prefix="$(AUTH_TOKEN_PREFIX)" --static-assets-dir=$(STATIC_ASSETS_DIR) --mock-k8s-client=$(MOCK_K8S_CLIENT) --mock-mr-client=$(MOCK_MR_CLIENT) --dev-mode=$(DEV_MODE) --dev-mode-port=$(DEV_MODE_PORT)  --standalone-mode=$(STANDALONE_MODE) --log-level=$(LOG_LEVEL) --allowed-origins=$(ALLOWED_ORIGINS)
 
 ##@ Dependencies
 
diff --git a/clients/ui/bff/README.md b/clients/ui/bff/README.md
@@ -105,18 +105,18 @@ curl -i "localhost:4000/healthcheck"
 ```
 # GET /v1/user 
 curl -i -H "kubeflow-userid: user@example.com" "localhost:4000/api/v1/user"
-curl -i -H "X-Forwarded-Access-Token: $TOKEN" "localhost:4000/api/v1/user"
+curl -i -H "Authorization: Bearer $TOKEN" "localhost:4000/api/v1/user"
 ```
 ```
 # GET /v1/namespaces (only works when DEV_MODE=true)
 curl -i -H "kubeflow-userid: user@example.com" "localhost:4000/api/v1/namespaces"
-curl -i -H "X-Forwarded-Access-Token: $TOKEN" "localhost:4000/api/v1/namespaces"
+curl -i -H "Authorization: Bearer $TOKEN" "localhost:4000/api/v1/namespaces"
 ```
 
 ```
 # GET /v1/model_registry
 curl -i -H "kubeflow-userid: user@example.com" "localhost:4000/api/v1/model_registry?namespace=kubeflow"
-curl -i -H "X-Forwarded-Access-Token: $TOKEN" "localhost:4000/api/v1/model_registry?namespace=kubeflow"
+curl -i -H "Authorization: Bearer $TOKEN" "localhost:4000/api/v1/model_registry?namespace=kubeflow"
 ```
 
 ```
@@ -130,7 +130,7 @@ curl -i \
 ```
 # GET /v1/model_registry/{model_registry_id}/registered_models
 curl -i -H "kubeflow-userid: user@example.com" "localhost:4000/api/v1/model_registry/model-registry/registered_models?namespace=kubeflow"
-curl -i -H "X-Forwarded-Access-Token: $TOKEN" "localhost:4000/api/v1/model_registry/model-registry-service/registered_models?namespace=kubeflow-user-example-com""
+curl -i -H "Authorization: Bearer $TOKEN" "localhost:4000/api/v1/model_registry/model-registry-service/registered_models?namespace=kubeflow-user-example-com""
 ```
 
 ```
@@ -381,17 +381,16 @@ The BFF supports two authentication modes, selectable via the --auth-method flag
     - In this mode, user identity is passed via the kubeflow-userid and optionally kubeflow-groups headers.
     - This is the default mode and works well with mock clients and local testing.
 - `user_token`: Uses a user-provided Bearer token for authentication.
-    - The token must be passed in the `X-Forwarded-Access-Token` header.
-    - Useful when the frontend is fronted by an auth proxy (e.g., Istio + OIDC) that injects a valid Kubernetes token.
-
+  - The token must be passed in the `Authorization` header using the Bearer schema (e.g., `Authorization: Bearer <token>`).
+  - This method works with OIDC-authenticated flows and frontend proxies that preserve standard Bearer tokens.
 
 #### 4. How BFF authorization works?
 
 Authorization is performed using Kubernetes access reviews, validating whether the user (or their groups) can perform certain actions.
 There are two review mechanisms depending on the authentication mode:
 - Internal mode (auth-method=internal):
 Uses SubjectAccessReview (SAR) to check whether the impersonated user (from kubeflow-userid and kubeflow-groups headers) has the required permissions.
-- User token mode (auth-method=user_token): Uses SelfSubjectAccessReview (SSAR), leveraging the Bearer token provided in the X-Forwarded-Access-Token header to check the current user's permissions directly.
+- User token mode (auth-method=user_token): Uses SelfSubjectAccessReview (SSAR), leveraging the Bearer token provided in the `Authorization` header to check the current user's permissions directly.
 
 ##### Authorization logic
 * Access to Model Registry List (/v1/model_registry):
@@ -402,6 +401,25 @@ Uses SubjectAccessReview (SAR) to check whether the impersonated user (from kube
     - Checks for get on the specific service (identified by model_registry_id) in the namespace.
     - If authorized, access is granted.
 
+##### Overriding Token Header and Prefix
+
+By default, the BFF expects the token to be passed in the standard Authorization header with a Bearer prefix:
+
+```shell
+Authorization: Bearer <your-token>
+```
+If you're integrating with a proxy or tool that uses a custom header (e.g., X-Forwarded-Access-Token without a prefix), you can override this behavior using environment variables or Makefile arguments.
+
+```shell
+make run AUTH_METHOD=user_token AUTH_TOKEN_HEADER=X-Forwarded-Access-Token AUTH_TOKEN_PREFIX=""
+```
+This will configure the BFF to extract the raw token from the following header:
+
+```shell
+X-Forwarded-Access-Token: <your-token>
+```
+
+
 #### 5. How do I allow CORS requests from other origins
 
 When serving the UI directly from the BFF there is no need for any CORS headers to be served, by default they are turned off for security reasons.
diff --git a/clients/ui/bff/cmd/main.go b/clients/ui/bff/cmd/main.go
@@ -33,6 +33,8 @@ func main() {
 	flag.TextVar(&cfg.LogLevel, "log-level", parseLevel(getEnvAsString("LOG_LEVEL", "INFO")), "Sets server log level, possible values: error, warn, info, debug")
 	flag.Func("allowed-origins", "Sets allowed origins for CORS purposes, accepts a comma separated list of origins or * to allow all, default none", newOriginParser(&cfg.AllowedOrigins, getEnvAsString("ALLOWED_ORIGINS", "")))
 	flag.StringVar(&cfg.AuthMethod, "auth-method", "internal", "Authentication method (internal or user_token)")
+	flag.StringVar(&cfg.AuthTokenHeader, "auth-token-header", getEnvAsString("AUTH_TOKEN_HEADER", config.DefaultAuthTokenHeader), "Header used to extract the token (e.g., Authorization)")
+	flag.StringVar(&cfg.AuthTokenPrefix, "auth-token-prefix", getEnvAsString("AUTH_TOKEN_PREFIX", config.DefaultAuthTokenPrefix), "Prefix used in the token header (e.g., 'Bearer ')")
 	flag.Parse()
 
 	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
diff --git a/clients/ui/bff/internal/config/environment.go b/clients/ui/bff/internal/config/environment.go
@@ -12,6 +12,13 @@ const (
 
 	// AuthMethodUser uses a user-provided Bearer token for authentication.
 	AuthMethodUser = "user_token"
+
+	// DefaultAuthTokenHeader is the standard header for Bearer token auth.
+	DefaultAuthTokenHeader = "Authorization"
+
+	// DefaultAuthTokenPrefix is the prefix used in the Authorization header.
+	// note: the space here is intentional, as the prefix is "Bearer " (with a space).
+	DefaultAuthTokenPrefix = "Bearer "
 )
 
 type EnvConfig struct {
@@ -24,6 +31,17 @@ type EnvConfig struct {
 	StaticAssetsDir string
 	LogLevel        slog.Level
 	AllowedOrigins  []string
-	// Either AuthMethodInternal or AuthMethodUser
+
+	// ─── AUTH ───────────────────────────────────────────────────
+	// Specifies the authentication method used by the server.
+	// Valid values: "internal" or "user_token"
 	AuthMethod string
+
+	// Header used to extract the authentication token.
+	// Default is "Authorization" and can be overridden via CLI/env for proxy integration scenarios.
+	AuthTokenHeader string
+
+	// Optional prefix to strip from the token header value.
+	// Default is "Bearer ", can be set to empty if the token is sent without a prefix.
+	AuthTokenPrefix string
 }
diff --git a/clients/ui/bff/internal/constants/keys.go b/clients/ui/bff/internal/constants/keys.go
@@ -10,8 +10,6 @@ const (
 
 	// The following keys are used to store the user access token in the context
 	RequestIdentityKey contextKey = "requestIdentityKey"
-	//For config.AuthMethodUser
-	XForwardedAccessTokenHeader = "X-Forwarded-Access-Token"
 
 	// For config.AuthMethodInternal
 	// Kubeflow authorization operates using custom authentication headers:
diff --git a/clients/ui/bff/internal/integrations/kubernetes/factory.go b/clients/ui/bff/internal/integrations/kubernetes/factory.go
@@ -22,7 +22,7 @@ func NewKubernetesClientFactory(cfg config.EnvConfig, logger *slog.Logger) (Kube
 		return k8sFactory, nil
 
 	case config.AuthMethodUser:
-		k8sFactory := NewTokenClientFactory(logger)
+		k8sFactory := NewTokenClientFactory(logger, cfg)
 		return k8sFactory, nil
 
 	default:
@@ -65,7 +65,6 @@ func (f *StaticClientFactory) ExtractRequestIdentity(httpHeader http.Header) (*R
 	userID := httpHeader.Get(constants.KubeflowUserIDHeader)
 	//`kubeflow-userid`: Contains the user's email address.
 	if userID == "" {
-		return nil, fmt.Errorf("missing required header on AuthMethodInternal: kubeflow-userid")
 	}
 
 	userGroupsHeader := httpHeader.Get(constants.KubeflowUserGroupsIdHeader)
@@ -102,22 +101,36 @@ func (f *StaticClientFactory) ValidateRequestIdentity(identity *RequestIdentity)
 //
 
 type TokenClientFactory struct {
-	logger *slog.Logger
+	Logger *slog.Logger
+	Header string
+	Prefix string
 }
 
-func NewTokenClientFactory(logger *slog.Logger) KubernetesClientFactory {
-	return &TokenClientFactory{logger: logger}
+func NewTokenClientFactory(logger *slog.Logger, cfg config.EnvConfig) KubernetesClientFactory {
+	return &TokenClientFactory{
+		Logger: logger,
+		Header: cfg.AuthTokenHeader,
+		Prefix: cfg.AuthTokenPrefix,
+	}
 }
 
 func (f *TokenClientFactory) ExtractRequestIdentity(httpHeader http.Header) (*RequestIdentity, error) {
-	token := httpHeader.Get(constants.XForwardedAccessTokenHeader)
-	if token == "" {
-		return nil, fmt.Errorf("missing required header on AuthMethodUser: access token")
+	raw := httpHeader.Get(f.Header)
+	if raw == "" {
+		return nil, fmt.Errorf("missing required Header: %s", f.Header)
 	}
-	identity := &RequestIdentity{
-		Token: token,
+
+	token := raw
+	if f.Prefix != "" {
+		if !strings.HasPrefix(raw, f.Prefix) {
+			return nil, fmt.Errorf("expected token Header %s to start with Prefix %q", f.Header, f.Prefix)
+		}
+		token = strings.TrimPrefix(raw, f.Prefix)
 	}
-	return identity, nil
+
+	return &RequestIdentity{
+		Token: strings.TrimSpace(token),
+	}, nil
 }
 
 func (f *TokenClientFactory) ValidateRequestIdentity(identity *RequestIdentity) error {
@@ -144,5 +157,5 @@ func (f *TokenClientFactory) GetClient(ctx context.Context) (KubernetesClientInt
 		return nil, fmt.Errorf("invalid or missing identity token")
 	}
 
-	return newTokenKubernetesClient(identity.Token, f.logger)
+	return newTokenKubernetesClient(identity.Token, f.Logger)
 }
diff --git a/clients/ui/bff/internal/integrations/kubernetes/k8mocks/mock_factory.go b/clients/ui/bff/internal/integrations/kubernetes/k8mocks/mock_factory.go
@@ -105,7 +105,12 @@ type MockedTokenClientFactory struct {
 
 // NewTokenClientFactory initializes a factory using a known envtest clientset + config.
 func NewTokenClientFactory(clientset kubernetes.Interface, restConfig *rest.Config, logger *slog.Logger) (k8s.KubernetesClientFactory, error) {
-	realFactory := k8s.NewTokenClientFactory(logger)
+	cfg := config.EnvConfig{
+		AuthMethod:      config.AuthMethodUser,
+		AuthTokenHeader: config.DefaultAuthTokenHeader,
+		AuthTokenPrefix: config.DefaultAuthTokenPrefix,
+	}
+	realFactory := k8s.NewTokenClientFactory(logger, cfg)
 
 	return &MockedTokenClientFactory{
 		logger:         logger,
diff --git a/clients/ui/bff/internal/integrations/kubernetes/tests/factory_test.go b/clients/ui/bff/internal/integrations/kubernetes/tests/factory_test.go
@@ -0,0 +1,92 @@
+package tests
+
+import (
+	"github.com/kubeflow/model-registry/ui/bff/internal/config"
+	"github.com/kubeflow/model-registry/ui/bff/internal/integrations/kubernetes"
+	"net/http"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("TokenClientFactory ExtractRequestIdentity", func() {
+
+	var factory *kubernetes.TokenClientFactory
+	var header http.Header
+
+	BeforeEach(func() {
+		header = http.Header{}
+	})
+
+	Context("with Bearer prefix", func() {
+		BeforeEach(func() {
+			factory = &kubernetes.TokenClientFactory{
+				Logger: nil,
+				Header: config.DefaultAuthTokenHeader,
+				Prefix: config.DefaultAuthTokenPrefix,
+			}
+		})
+
+		It("should extract the token successfully", func() {
+			header.Set("Authorization", "Bearer doratoken")
+
+			identity, err := factory.ExtractRequestIdentity(header)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(identity.Token).To(Equal("doratoken"))
+		})
+
+		It("should fail if prefix does not match", func() {
+			header.Set("Authorization", "Token bellatoken")
+
+			_, err := factory.ExtractRequestIdentity(header)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("expected token Header Authorization to start with Prefix \"Bearer \""))
+		})
+
+		It("should fail if prefix is missing", func() {
+			header.Set("Authorization", "doratoken")
+
+			_, err := factory.ExtractRequestIdentity(header)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("expected token Header Authorization to start with Prefix \"Bearer \""))
+		})
+
+		It("should fail if header is missing", func() {
+			_, err := factory.ExtractRequestIdentity(header)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("missing required Header: Authorization"))
+		})
+	})
+
+	Context("with no prefix", func() {
+		BeforeEach(func() {
+			factory = &kubernetes.TokenClientFactory{
+				Logger: nil,
+				Header: "X-Forwarded-Access-Token",
+				Prefix: "",
+			}
+		})
+
+		It("should extract the raw token", func() {
+			header.Set("X-Forwarded-Access-Token", "bellatoken")
+
+			identity, err := factory.ExtractRequestIdentity(header)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(identity.Token).To(Equal("bellatoken"))
+		})
+
+		It("should fail if header is missing", func() {
+			_, err := factory.ExtractRequestIdentity(header)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("missing required Header: X-Forwarded-Access-Token"))
+		})
+
+		It("should fail if header mismatch", func() {
+			header.Set("X-WRONG-Access-Token", "bellatoken")
+
+			_, err := factory.ExtractRequestIdentity(header)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("missing required Header: X-Forwarded-Access-Token"))
+		})
+	})
+})
