backend: oidc: impersonate instead of forwarding oidc token to k8s api

iSE-stefan-may · iSE-stefan-may · commit 86616110b1e5 · 2025-01-30T17:36:38.000+01:00
diff --git a/backend/cmd/headlamp.go b/backend/cmd/headlamp.go
@@ -54,6 +54,8 @@ type HeadlampConfig struct {
 	oidcClientID          string
 	oidcClientSecret      string
 	oidcIdpIssuerURL      string
+	oidcImpersonate       bool
+	oidcImpersonateClaim  string
 	baseURL               string
 	oidcScopes            []string
 	proxyURLs             []string
@@ -359,7 +361,7 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	if config.useInCluster {
 		context, err := kubeconfig.GetInClusterContext(config.oidcIdpIssuerURL,
 			config.oidcClientID, config.oidcClientSecret,
-			strings.Join(config.oidcScopes, ","))
+			strings.Join(config.oidcScopes, ","), config.oidcImpersonate)
 		if err != nil {
 			logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
 		}
@@ -883,10 +885,76 @@ func (c *HeadlampConfig) OIDCTokenRefreshMiddleware(next http.Handler) http.Hand
 	})
 }
 
+func (c *HeadlampConfig) OIDCImpersonateMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// skip if not cluster request
+		if !strings.HasPrefix(r.URL.String(), "/clusters/") {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// parse cluster and token
+		cluster, token := parseClusterAndToken(r)
+		if cluster == "" || token == "" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		idToken, err := c.getValidToken(r.Context(), token)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		var claims map[string]interface{}
+		if err := idToken.Claims(&claims); err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+		user, ok := claims[c.oidcImpersonateClaim].(string)
+		if !ok || user == "" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		context, err := c.kubeConfigStore.GetContext(cluster)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// User was successfully authenticated, execute request as this user
+		r.Header.Set("Authorization", "Bearer "+context.BearerToken)
+		r.Header.Set("Impersonate-User", user)
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (c *HeadlampConfig) getValidToken(ctx context.Context, token string) (*oidc.IDToken, error) {
+	provider, err := oidc.NewProvider(ctx, c.oidcIdpIssuerURL)
+	if err != nil {
+		logger.Log(logger.LevelError, map[string]string{"idpIssuerURL": c.oidcIdpIssuerURL},
+			err, "failed to get oidc provider")
+		return nil, fmt.Errorf("failed to get oidc provider: %w", err)
+	}
+	oidcConfig := &oidc.Config{
+		ClientID: c.oidcClientID,
+	}
+	oauth2Token, err := provider.Verifier(oidcConfig).Verify(ctx, token)
+	if err != nil {
+		return nil, fmt.Errorf("token is not valid: %w", err)
+	}
+	return oauth2Token, nil
+}
+
 func StartHeadlampServer(config *HeadlampConfig) {
 	handler := createHeadlampHandler(config)
 
 	handler = config.OIDCTokenRefreshMiddleware(handler)
+	if config.oidcImpersonate {
+		handler = config.OIDCImpersonateMiddleware(handler)
+		logger.Log(logger.LevelInfo, nil, nil, "OIDC impersonate active")
+	}
 
 	// Start server
 	err := http.ListenAndServe(fmt.Sprintf(":%d", config.port), handler) //nolint:gosec
diff --git a/backend/cmd/server.go b/backend/cmd/server.go
@@ -48,6 +48,8 @@ func main() {
 		oidcClientSecret:      conf.OidcClientSecret,
 		oidcIdpIssuerURL:      conf.OidcIdpIssuerURL,
 		oidcScopes:            strings.Split(conf.OidcScopes, ","),
+		oidcImpersonate:       conf.OidcImpersonate,
+		oidcImpersonateClaim:  conf.OidcImpersonateClaim,
 		baseURL:               conf.BaseURL,
 		proxyURLs:             strings.Split(conf.ProxyURLs, ","),
 		enableHelm:            conf.EnableHelm,
diff --git a/backend/pkg/config/config.go b/backend/pkg/config/config.go
@@ -35,6 +35,8 @@ type Config struct {
 	OidcClientSecret      string `koanf:"oidc-client-secret"`
 	OidcIdpIssuerURL      string `koanf:"oidc-idp-issuer-url"`
 	OidcScopes            string `koanf:"oidc-scopes"`
+	OidcImpersonate       bool   `koanf:"oidc-impersonate"`
+	OidcImpersonateClaim  string `koanf:"oidc-impersonate-claim"`
 }
 
 func (c *Config) Validate() error {
@@ -166,6 +168,10 @@ func flagset() *flag.FlagSet {
 	f.String("oidc-idp-issuer-url", "", "Identity provider issuer URL for OIDC")
 	f.String("oidc-scopes", "profile,email",
 		"A comma separated list of scopes needed from the OIDC provider")
+	f.Bool("oidc-impersonate", false,
+		"Kubernetes API calls are done with the service account and impersonated as the user in the OIDC token")
+	f.String("oidc-impersonate-claim", "preferred_username",
+		"The claim of the OIDC token to be used when -oidc-impersonate=true")
 
 	return f
 }
diff --git a/backend/pkg/kubeconfig/kubeconfig.go b/backend/pkg/kubeconfig/kubeconfig.go
@@ -43,6 +43,7 @@ type Context struct {
 	Source      int                    `json:"source"`
 	OidcConf    *OidcConfig            `json:"oidcConfig"`
 	proxy       *httputil.ReverseProxy `json:"-"`
+	BearerToken string                 `json:"bearerToken"`
 	Internal    bool                   `json:"internal"`
 	Error       string                 `json:"error"`
 }
@@ -867,7 +868,7 @@ func splitKubeConfigPath(path string) []string {
 // GetInClusterContext returns the in-cluster context.
 func GetInClusterContext(oidcIssuerURL string,
 	oidcClientID string, oidcClientSecret string,
-	oidcScopes string,
+	oidcScopes string, oidcImpersonate bool,
 ) (*Context, error) {
 	clusterConfig, err := rest.InClusterConfig()
 	if err != nil {
@@ -888,6 +889,7 @@ func GetInClusterContext(oidcIssuerURL string,
 	inClusterAuthInfo := &api.AuthInfo{}
 
 	var oidcConf *OidcConfig
+	var bearerToken string
 
 	if oidcClientID != "" && oidcClientSecret != "" && oidcIssuerURL != "" && oidcScopes != "" {
 		oidcConf = &OidcConfig{
@@ -896,6 +898,10 @@ func GetInClusterContext(oidcIssuerURL string,
 			IdpIssuerURL: oidcIssuerURL,
 			Scopes:       strings.Split(oidcScopes, ","),
 		}
+
+		if oidcImpersonate {
+			bearerToken = clusterConfig.BearerToken
+		}
 	}
 
 	return &Context{
@@ -904,6 +910,7 @@ func GetInClusterContext(oidcIssuerURL string,
 		Cluster:     cluster,
 		AuthInfo:    inClusterAuthInfo,
 		OidcConf:    oidcConf,
+		BearerToken: bearerToken,
 	}, nil
 }
 
diff --git a/docs/installation/in-cluster/oidc.md b/docs/installation/in-cluster/oidc.md
@@ -33,6 +33,25 @@ then add them all to the option:
 used by Dex and other services, but since it's not part of the default spec,
 it was removed in the mentioned version.
 
+### Impersonation
+
+Headlamp's default OIDC authentication flow involves sending the OIDC token
+directly to the Kubernetes API for evaluation. However, in environments where
+Kubernetes is unable to directly verify OIDC tokens (e.g., due to configuration
+constraints), Headlamp offers an impersonation feature. This allows Headlamp to
+validate the OIDC token itself and then use a pre-configured service account to
+impersonate the user identified in the token's `preferred_username` claim.
+
+To enable this impersonation behavior, set the `-oidc-impersonate` flag to `true`:
+
+`-oidc-impersonate=true`
+
+The username is extracted from the OIDC JWT token, by default from the
+`preferred_username` field. If you want to use another claim, it can be changed
+with:
+
+`-oidc-impersonate-claim=email`
+
 ### Example: OIDC with Keycloak in Minikube
 
 If you are interested in a comprehensive example of using OIDC and Headlamp,
