You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(auth): resolve user UID via SelfSubjectReview for external authentication (#134)
* fix(auth): resolve user UID via SelfSubjectReview for BYO external auth
Use authentication.k8s.io SelfSubjectReview as the primary method to
obtain the authenticated user's Kubernetes UID when verifying requests
to /exec/init and /activity/tick. Fall back to the OpenShift User API
when SelfSubjectReview is unavailable, preserving compatibility with
older clusters.
Fixes Web Terminal failures with BYO External Authentication where
user.openshift.io/v1 is not available.
* fix : update error messages to be more generic
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
* fix : handle empty UID case in token claims
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
---------
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
Endpoints that require authentication expect a user's OpenShift token to be passed in a `X-Access-Token` or `X-Forwarded-Access-Token` header on the request. This token is used to
45
45
46
-
1. Verify that the user making the request is the authorized user for the current terminal
46
+
1. Verify that the user making the request is the authorized user for the current terminal, by resolving the user's Kubernetes UID via `SelfSubjectReview` (with fallback to the OpenShift User API when needed)
47
47
2. Execute the pods/exec API call that interacts with the container into which kubeconfig is being injected (if applicable)
48
48
49
49
If a token is not provided or does not match what is expected, the server returns `HTTP 401`
0 commit comments