Backend: Frontend: Add OIDC Autologin

[mudit06mah]

Summary

This PR Adds feature to enable Autologin on OIDC as well as support for OIDC autologin.

Related Issue

Fixes #4343

Changes

• Added oidc-auto-login flag to headlamp-server
• Added support in redux for configs
• Added authentication login to Layout.tsx

Steps to Test

1. Start headlamp server with flag oidc-auto-login=true and other oidc flags (oidc-client-id, oidc-idp-issuer-url, etc.)
2. Set up cluster with auth-provider = 'oidc'
3. Navigate to OIDC cluster, Redirects to OIDC provider's login screen.

Screenshots

oidc_autologin.mp4

Note

I couldn't correctly configure my OIDC client locally, but it completely works logically as intended.

[Copilot]

Pull request overview

This pull request adds OIDC auto-login functionality to Headlamp, allowing automatic redirection to the OIDC provider when enabled via the oidc-auto-login server flag. This eliminates the manual step of clicking "Sign In" for OIDC-authenticated clusters.

Changes:

• Added oidc-auto-login configuration flag to the backend that can be enabled via command line
• Extended Redux state to store the oidcAutoLogin setting from the backend configuration
• Implemented auto-redirect logic in the Layout component to automatically initiate OIDC authentication flow

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
backend/pkg/config/config.go	Adds OidcAutoLogin boolean field and corresponding command-line flag
backend/cmd/server.go	Initializes OidcAutoLogin from config when creating HeadlampConfig
backend/cmd/headlamp.go	Adds OidcAutoLogin field to HeadlampConfig struct and includes it in clientConfig API response
backend/cmd/stateless.go	Includes oidcAutoLogin in clientConfig for parseKubeConfig endpoint (hardcoded to false)
frontend/src/redux/configSlice.ts	Adds oidcAutoLogin field to ConfigState and updates setConfig action to accept it
frontend/src/components/authchooser/index.tsx	Preserves oidcAutoLogin when updating cluster config after auth testing
frontend/src/components/App/Layout.tsx	Implements auto-redirect logic via useEffect that redirects to OIDC provider when conditions are met

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mudit06mah]

@illume I have made all the changes requested by copilot, Please review this again :)

[menardorama]

Hi that's awesome!

What would be the behavior when running in cluster config ?

Would the user being automatically be redirected when reaching the homepage ?

Anyway thanks a lot

[mudit06mah]

What would be the behavior when running in cluster config ?

Would the user being automatically be redirected when reaching the homepage ?

I haven't tested it properly but, yes, It should redirect the user to homepage :)

[mudit06mah]

@illume Can you Please review this again? 👾

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mudit06mah]

@illume I have made the changes suggested by copilot, Can you please review this again?

[illume]

Thank you for those changes.

I noticed there's now a merge conflict.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

backend/pkg/config/config.go:451

• A new config flag/koanf key is introduced (oidc-auto-login), but there’s no corresponding config parsing test coverage. Add a test case in backend/pkg/config/config_test.go verifying the flag (and ideally HEADLAMP_CONFIG_OIDC_AUTO_LOGIN env var) correctly sets OidcAutoLogin, to prevent regressions in the flag/env precedence logic.

func addOIDCFlags(f *flag.FlagSet) {
	f.Bool("oidc-auto-login", false, "Automatic Redirect to OIDC provider")
	f.String("oidc-client-id", "", "ClientID for OIDC")
	f.String("oidc-client-secret", "", "ClientSecret for OIDC")
	f.String("oidc-validator-client-id", "", "Override ClientID for OIDC during validation")
	f.String("oidc-idp-issuer-url", "", "Identity provider issuer URL for OIDC")
	f.String("oidc-callback-url", "", "Callback URL for OIDC")
	f.String("oidc-validator-idp-issuer-url", "", "Override Identity provider issuer URL for OIDC during validation")
	f.String("oidc-scopes", "profile,email", "A comma separated list of scopes needed from the OIDC provider")
	f.Bool("oidc-skip-tls-verify", false, "Skip TLS verification for OIDC")
	f.String("oidc-ca-file", "", "CA file for OIDC")
	f.Bool("oidc-use-access-token", false, "Setup oidc to pass through the access_token instead of the default id_token")
	f.Bool("oidc-use-pkce", false, "Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow")
	f.String("me-username-path", DefaultMeUsernamePath,

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[illume]

Looking good.

Can you please check the final open review comments? If you disagree with them, please write in there why and mark them as resolved.

[mudit06mah]

Can you please check the final open review comments? If you disagree with them, please write in there why and mark them as resolved.

I had already made those changes earlier :)

[illume]

🎉 thanks!

This looks fine to me. I’ll leave it open a bit longer before merging to give someone else a chance to review it if they feel inclined.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: illume, mudit06mah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [illume]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mudit06mah]

@illume While working on my other PR related to adding a flag, I noticed that I have not added this flag to the values.schema.json so I made those changes right now, Please review again if necessary.