Skip to content

Commit 64ef41b

Browse files
committed
Split and add ui-identity
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> On-behalf-of: @SAP karol.szwaj@sap.com
1 parent f5cbdbc commit 64ef41b

3 files changed

Lines changed: 17 additions & 10 deletions

File tree

backend/auth/middleware.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,10 @@ type ClientType string
4444
const (
4545
ClientTypeUI ClientType = "ui"
4646
ClientTypeCLI ClientType = "cli"
47+
48+
// UIIdentity is the well-known identity value that the UI sends in bind requests.
49+
// The backend resolves it to the actual identity derived from the authenticated session.
50+
UIIdentity = "ui-identity"
4751
)
4852

4953
type AuthContext struct {

backend/http/handler.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -360,12 +360,18 @@ func (h *handler) handleBind(w http.ResponseWriter, r *http.Request) {
360360
return
361361
}
362362

363-
// Use the cluster identity from the request, or derive from the authenticated session
364-
// for UI-only flows where no consumer_id is available.
363+
// Identity is always required. CLI provides the cluster identity (kube-system UID),
364+
// and the UI sends the well-known "ui-identity" value.
365365
identity := bindRequest.Spec.ClusterIdentity.Identity
366366
if identity == "" {
367+
writeErrorResponse(w, http.StatusBadRequest, kubebindv1alpha2.ErrorCodeBadRequest, "Missing cluster identity", "spec.clusterIdentity.identity is required")
368+
return
369+
}
370+
371+
// Resolve the UI sentinel to a real identity derived from the authenticated session.
372+
if identity == auth.UIIdentity {
367373
identity = state.Token.Issuer + "/" + state.Token.Subject
368-
logger.Info("Using session-derived identity for UI-only flow", "identity", identity)
374+
logger.Info("Resolved ui-identity from session", "identity", identity)
369375
}
370376

371377
consumerID := params.ConsumerID

web/src/views/Resources.vue

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -321,13 +321,10 @@ const handleBind = async (templateName: string, bindingName: string) => {
321321
const bindUrl = buildApiUrl('/bind')
322322
323323
// Create the binding request
324-
// Use consumerId if available (CLI flow), otherwise use sessionId as cluster identity
325-
// Read from Vue Router's route.query instead of window.location
326-
const sessionIdFromRoute = route.query.session_id as string || ''
327-
const clusterIdentity = consumerId.value || sessionIdFromRoute
328-
329-
// In UI-only flow, clusterIdentity may be empty - the backend will derive
330-
// identity from the authenticated session (OIDC subject/issuer).
324+
// CLI flow: use consumerId (kube-system namespace UID)
325+
// UI flow: use the well-known "ui-identity" sentinel - the backend resolves
326+
// it to the actual identity from the authenticated OIDC session.
327+
const clusterIdentity = consumerId.value || 'ui-identity'
331328
332329
const bindingRequest: BindableResourcesRequest = {
333330
metadata: {

0 commit comments

Comments
 (0)