dashboard: Dashboard login fails on Chrome/Firefox
Environment
**Cluster info:**
Kubernetes version: AKS v1.16.7
Dashboard version: v2.0.0-beta8
**Client info:**
Client Operating System: Windows 10
Kubectl version: 1.18.0
Az CLI version: 2.5.1
Chrome version: Version 81.0.4044.138 (Official Build) (64-bit)
Edge version: 44.18362.449.0
Firefox version: 76.0.1 (64-bit)
Steps to reproduce
Deploy v1.16.7 AKS cluster. By default dashboard version v2.0.0-beta8 is deployed with this cluster via AddOnManager. Try to access dashboard via kubectl proxy or az aks browse. When clicking the login button on Chrome/Firefox after entering a valid user token nothing occurs and you are left at the login page.
Observed result
After upgrading our AKS cluster to v1.16.7 this updated the dashboard version. Users were no longer able to login via Chrome/Firefox. This is due to the new login page which required config/token input to authenticate. After entering a valid token and clicking on the login button nothing occurs. When looking in browser debugging tools, 200 status codes can be seen after clicking the login button. No error messages are returned whereas if I try an intentionally invalid token I receive an error message. However, when I try the login process on Edge with the valid token the login works as expected and the dashboard loads!
Expected result
Expect to be able to login to dashboard on Chrome/Firefox/Edge.
Comments
- The login process works flawlessly on Microsoft Edge.
- Issue is present on multiple separate AKS clusters (not isolated to 1 cluster).
- Issue is seen on multiple developer machines (not isolated to 1 client).
- Originally we thought there might be an RBAC issue (even though no errors are returned after clicking login) until we discovered Edge worked just fine.
- Per the comment above, we have RBAC enabled clusters.
- The AKS admin account and service account tokens work properly when logging in via Chrome/Firefox. But when using a user account token this only works on Edge.
- I tried manually deploying newer versions of the dashboard such as v.2.0.0-rc3 and v2.0.0 and encountered the same login issues on Chrome/Firefox.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21 (9 by maintainers)
The best option is to configure oauth reverse proxy with some IdP plugin that will first force you to log in using i.e. Google/Github and then K8S API will return user-specific token directly to your proxy. Proxy then takes it and appends it to authorization header before forwarding request to Dashboard. This way even if someone somehow manages to bypass proxy and access Dashboard without logging in, there will be nothing to see as Dashboard itself does not have basically any privileges. Remember to also expose your ingress over HTTPS only. Dashboard then does not need custom certificates. It can be exposed only inside the cluster.
@SayakMukhopadhyay try out a new release once travis pushes the images.
I must say that the browser behaviour is very unreliable around this. I have used Chrome, Firefox and Edge (all latest as of this post) and none of them accepts my 2k long
access_token(which creates a more than 4k longjweToken. Moreover I never got an error message in the console which is why I actually spent 3 days straight troubleshooting this issue before I literally stumbled across the issue I linked.@OnAzureCloud9 are you using the
auth-provider.config.access-tokengenerated after logging in through Azure AD? If so you might be facing an issue wherein theaccess-tokenprovided by Azure is so long that the generatedjweTokenexceeds the 4KB size limit of browsers cookies. Just check the size of the token that you are entering and if it is around 2k characters long. See #3081