Split and add ui-identity

cnvergence · cnvergence · commit 64ef41bcdaa9 · 2026-03-30T16:13:28.000+02:00
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> On-behalf-of: @SAP karol.szwaj@sap.com
diff --git a/backend/auth/middleware.go b/backend/auth/middleware.go
@@ -44,6 +44,10 @@ type ClientType string
 const (
 	ClientTypeUI  ClientType = "ui"
 	ClientTypeCLI ClientType = "cli"
+
+	// UIIdentity is the well-known identity value that the UI sends in bind requests.
+	// The backend resolves it to the actual identity derived from the authenticated session.
+	UIIdentity = "ui-identity"
 )
 
 type AuthContext struct {
diff --git a/backend/http/handler.go b/backend/http/handler.go
@@ -360,12 +360,18 @@ func (h *handler) handleBind(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Use the cluster identity from the request, or derive from the authenticated session
-	// for UI-only flows where no consumer_id is available.
+	// Identity is always required. CLI provides the cluster identity (kube-system UID),
+	// and the UI sends the well-known "ui-identity" value.
 	identity := bindRequest.Spec.ClusterIdentity.Identity
 	if identity == "" {
+		writeErrorResponse(w, http.StatusBadRequest, kubebindv1alpha2.ErrorCodeBadRequest, "Missing cluster identity", "spec.clusterIdentity.identity is required")
+		return
+	}
+
+	// Resolve the UI sentinel to a real identity derived from the authenticated session.
+	if identity == auth.UIIdentity {
 		identity = state.Token.Issuer + "/" + state.Token.Subject
-		logger.Info("Using session-derived identity for UI-only flow", "identity", identity)
+		logger.Info("Resolved ui-identity from session", "identity", identity)
 	}
 
 	consumerID := params.ConsumerID
diff --git a/web/src/views/Resources.vue b/web/src/views/Resources.vue
@@ -321,13 +321,10 @@ const handleBind = async (templateName: string, bindingName: string) => {
     const bindUrl = buildApiUrl('/bind')
 
     // Create the binding request
-    // Use consumerId if available (CLI flow), otherwise use sessionId as cluster identity
-    // Read from Vue Router's route.query instead of window.location
-    const sessionIdFromRoute = route.query.session_id as string || ''
-    const clusterIdentity = consumerId.value || sessionIdFromRoute
-
-    // In UI-only flow, clusterIdentity may be empty - the backend will derive
-    // identity from the authenticated session (OIDC subject/issuer).
+    // CLI flow: use consumerId (kube-system namespace UID)
+    // UI flow: use the well-known "ui-identity" sentinel - the backend resolves
+    // it to the actual identity from the authenticated OIDC session.
+    const clusterIdentity = consumerId.value || 'ui-identity'
 
     const bindingRequest: BindableResourcesRequest = {
       metadata: {
