k8s namespaces, oidc login not working about webmesh-vdi HOT 12 CLOSED

With OIDC there are a lot of variables at play that could cause that.

vdi.spec.auth.tokenDuration you almost certainly want to set to a high value (e.g. 8h) if you haven't set it at all. There is no way for the refresh token logic to work with the OIDC flow, so when your login token expires it has to login all over again. The default is 15 minutes IIRC.

As for only being able to use the default namespace, depends on the role that is assigned to you when you login. If you are an admin or assuming a VDIRole that can access other namespaces, then you might have found a bug. For reference, the example in the repo would allow all namespaces if you are in the authors group on the OIDC provider. The other configurations might be coming into play too. For instance, if you are using the allowNonGroupedReadOnly config, I might need to check if that allows all namespaces or just default.

If you are still having trouble after all that, posting your configurations might help me diagnose further.

from webmesh-vdi.

I'm using allowNonGroupedReadOnly config, with custom user attributes for mapping admin role. And if I change app namespce from default, it doesn't work. Maybe I should use this, as u said, for both, admin and normal users. This is my current config:

      tokenDuration: "10h"
      oidcAuth:
        issuerURL: "https://url"
        clientCredentialsSecret: "oidc-secret-kvdi"
        redirectURL: "https://url/api/login"
        tlsInsecureSkipVerify: True
        groupScope: kvdi-policy
        adminGroups: [ "admin-user" ]
        allowNonGroupedReadOnly: True

from webmesh-vdi.

Yep that makes sense.

I had to go looking again because I haven't touched that part of the code in a while, but the "default user role" that gets created with a cluster is the same as the one that gets matched up to users that don't have a "group" with OIDC and allowNonGroupedReadOnly is true. Where it gets defined is nice and centralized already here which is a plus. It does default to only allowing whatever the appNamespace is.

I'm wondering if this should be configurable. I.e. allow the user to specify custom rules for the default role. It would satisfy this use case, make the OIDC more flexible as a result, and be a nice addition to the API.

I'll probably take a stab at it this week or next when I'm looking at the other issues.

from webmesh-vdi.

Wait just to make sure I'm understanding, cuz I might have gotten confused by the edit, is the constant refresh happening even with tokenDuration set to 10h?

from webmesh-vdi.

Yup, there are literally only 302 response codes in app logs. Page is refreshing all the time, and I can't do anything in web gui. My OIDP says that session is established, but I can't see it in gui, because of refreshes.

from webmesh-vdi.

Was the tokenDuration changed though? Because if so, you probably want to do a hard refresh (no-cache, e.g. Shift+F5 or new tab/window) so you can get a new token with the correct duration.

If the duration was set to 10h all along and that is the behavior, then yea you definitely found a bug that I might need help reproducing.

from webmesh-vdi.

Yep that makes sense.

I had to go looking again because I haven't touched that part of the code in a while, but the "default user role" that gets created with a cluster is the same as the one that gets matched up to users that don't have a "group" with OIDC and allowNonGroupedReadOnly is true. Where it gets defined is nice and centralized already here which is a plus. It does default to only allowing whatever the appNamespace is.

I'm wondering if this should be configurable. I.e. allow the user to specify custom rules for the default role. It would satisfy this use case, make the OIDC more flexible as a result, and be a nice addition to the API.

I'll probably take a stab at it this week or next when I'm looking at the other issues.

So, if i try disable allowNonGroupedReadOnly, create VDIRole and assign user attributes from OIDP to them, it should work?

from webmesh-vdi.

If by "assign user attributes from OIDP" you mean provide some sort of "group" field matched up to roles you define like the example instead, then yea it will solve that issue.

I'll probably still make that default role customizable anyway because I kinda like the idea.

from webmesh-vdi.

I don't use groups in my OIDP, I'm using user attributes (key: value fiels) instead

from webmesh-vdi.

Was the tokenDuration changed though? Because if so, you probably want to do a hard refresh (no-cache, e.g. Shift+F5 or new tab/window) so you can get a new token with the correct duration.

If the duration was set to 10h all along and that is the behavior, then yea you definitely found a bug that I might need help reproducing.

It is working after uninstalling and deletion pv of all containers from kvdi! There is no bug with refresh, I think it just cache too much informations after test deploy
Thanks, for your help

from webmesh-vdi.

Reopening so I remember the other idea that came up 😄

from webmesh-vdi.

I don't use groups in my OIDP, I'm using user attributes (key: value fiels) instead

Gotcha, yea. You are doing what I intended to be possible 😛 for people that don't have "groups".

from webmesh-vdi.