Skip to content

Backend: Frontend: Add OIDC Autologin#4475

Open
mudit06mah wants to merge 4 commits intokubernetes-sigs:mainfrom
mudit06mah:feat/oidc_autologin
Open

Backend: Frontend: Add OIDC Autologin#4475
mudit06mah wants to merge 4 commits intokubernetes-sigs:mainfrom
mudit06mah:feat/oidc_autologin

Conversation

@mudit06mah
Copy link
Contributor

@mudit06mah mudit06mah commented Jan 28, 2026
edited
Loading

Summary

This PR Adds feature to enable Autologin on OIDC as well as support for OIDC autologin.

Related Issue

Fixes #4343

Changes

  • Added oidc-auto-login flag to headlamp-server
  • Added support in redux for configs
  • Added authentication login to Layout.tsx

Steps to Test

  1. Start headlamp server with flag oidc-auto-login=true and other oidc flags (oidc-client-id, oidc-idp-issuer-url, etc.)
  2. Set up cluster with auth-provider = 'oidc'
  3. Navigate to OIDC cluster, Redirects to OIDC provider's login screen.

Screenshots

oidc_autologin.mp4

Note

I couldn't correctly configure my OIDC client locally, but it completely works logically as intended.

@k8s-ci-robot k8s-ci-robot requested review from illume and sniok January 28, 2026 19:53
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 28, 2026
@mudit06mah mudit06mah mentioned this pull request Jan 28, 2026
Open
@illume illume requested a review from Copilot January 28, 2026 20:43
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds OIDC auto-login functionality to Headlamp, allowing automatic redirection to the OIDC provider when enabled via the oidc-auto-login server flag. This eliminates the manual step of clicking "Sign In" for OIDC-authenticated clusters.

Changes:

  • Added oidc-auto-login configuration flag to the backend that can be enabled via command line
  • Extended Redux state to store the oidcAutoLogin setting from the backend configuration
  • Implemented auto-redirect logic in the Layout component to automatically initiate OIDC authentication flow

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
backend/pkg/config/config.go Adds OidcAutoLogin boolean field and corresponding command-line flag
backend/cmd/server.go Initializes OidcAutoLogin from config when creating HeadlampConfig
backend/cmd/headlamp.go Adds OidcAutoLogin field to HeadlampConfig struct and includes it in clientConfig API response
backend/cmd/stateless.go Includes oidcAutoLogin in clientConfig for parseKubeConfig endpoint (hardcoded to false)
frontend/src/redux/configSlice.ts Adds oidcAutoLogin field to ConfigState and updates setConfig action to accept it
frontend/src/components/authchooser/index.tsx Preserves oidcAutoLogin when updating cluster config after auth testing
frontend/src/components/App/Layout.tsx Implements auto-redirect logic via useEffect that redirects to OIDC provider when conditions are met

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 29, 2026
@mudit06mah mudit06mah force-pushed the feat/oidc_autologin branch 2 times, most recently from 0e497aa to 836eafc Compare January 29, 2026 13:33
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 29, 2026
@mudit06mah
Copy link
Contributor Author

mudit06mah commented Jan 29, 2026

@illume I have made all the changes requested by copilot, Please review this again :)

@menardorama
Copy link

menardorama commented Jan 30, 2026

Hi that's awesome!

What would be the behavior when running in cluster config ?

Would the user being automatically be redirected when reaching the homepage ?

Anyway thanks a lot

@mudit06mah
Copy link
Contributor Author

mudit06mah commented Jan 31, 2026

What would be the behavior when running in cluster config ?

Would the user being automatically be redirected when reaching the homepage ?

I haven't tested it properly but, yes, It should redirect the user to homepage :)

@mudit06mah
Copy link
Contributor Author

mudit06mah commented Feb 2, 2026

@illume Can you Please review this again? 👾

@illume illume requested a review from Copilot February 4, 2026 11:53
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mudit06mah
Copy link
Contributor Author

mudit06mah commented Feb 4, 2026

@illume I have made the changes suggested by copilot, Can you please review this again?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 7, 2026
illume
illume requested changes Feb 8, 2026
View reviewed changes
Copy link
Contributor

@illume illume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for those changes.

I noticed there's now a merge conflict.

@illume illume requested a review from Copilot February 8, 2026 14:17
@illume illume added backend Issues related to the backend oidc Issue related to OIDC labels Feb 8, 2026
Copilot AI reviewed Feb 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

backend/pkg/config/config.go:451

  • A new config flag/koanf key is introduced (oidc-auto-login), but there’s no corresponding config parsing test coverage. Add a test case in backend/pkg/config/config_test.go verifying the flag (and ideally HEADLAMP_CONFIG_OIDC_AUTO_LOGIN env var) correctly sets OidcAutoLogin, to prevent regressions in the flag/env precedence logic.
func addOIDCFlags(f *flag.FlagSet) {
	f.Bool("oidc-auto-login", false, "Automatic Redirect to OIDC provider")
	f.String("oidc-client-id", "", "ClientID for OIDC")
	f.String("oidc-client-secret", "", "ClientSecret for OIDC")
	f.String("oidc-validator-client-id", "", "Override ClientID for OIDC during validation")
	f.String("oidc-idp-issuer-url", "", "Identity provider issuer URL for OIDC")
	f.String("oidc-callback-url", "", "Callback URL for OIDC")
	f.String("oidc-validator-idp-issuer-url", "", "Override Identity provider issuer URL for OIDC during validation")
	f.String("oidc-scopes", "profile,email", "A comma separated list of scopes needed from the OIDC provider")
	f.Bool("oidc-skip-tls-verify", false, "Skip TLS verification for OIDC")
	f.String("oidc-ca-file", "", "CA file for OIDC")
	f.Bool("oidc-use-access-token", false, "Setup oidc to pass through the access_token instead of the default id_token")
	f.Bool("oidc-use-pkce", false, "Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow")
	f.String("me-username-path", DefaultMeUsernamePath,

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mudit06mah mudit06mah force-pushed the feat/oidc_autologin branch 2 times, most recently from 8e87ad4 to f00c57c Compare February 10, 2026 15:26
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 10, 2026
@mudit06mah mudit06mah requested a review from illume February 11, 2026 14:24
illume
illume requested changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@illume illume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good.

Can you please check the final open review comments? If you disagree with them, please write in there why and mark them as resolved.

@mudit06mah
Copy link
Contributor Author

mudit06mah commented Feb 11, 2026

Can you please check the final open review comments? If you disagree with them, please write in there why and mark them as resolved.

I had already made those changes earlier :)

illume
illume approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@illume illume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 thanks!

This looks fine to me. I’ll leave it open a bit longer before merging to give someone else a chance to review it if they feel inclined.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 11, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: illume, mudit06mah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2026
@mudit06mah
Copy link
Contributor Author

mudit06mah commented Feb 12, 2026

@illume While working on my other PR related to adding a flag, I noticed that I have not added this flag to the values.schema.json so I made those changes right now, Please review again if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@illume illume illume approved these changes

@sniok sniok Awaiting requested review from sniok

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backend Issues related to the backend cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. oidc Issue related to OIDC size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enable autologin on OIDC

4 participants

@mudit06mah @menardorama @k8s-ci-robot @illume