kbind-dev
diff --git a/‎backend/auth/handler.go‎
Lines changed: 3 additions & 3 deletions b/‎backend/auth/handler.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎backend/auth/middleware.go‎
Lines changed: 3 additions & 3 deletions b/‎backend/auth/middleware.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎backend/http/handler.go‎
Lines changed: 1 addition & 2 deletions b/‎backend/http/handler.go‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎backend/options/options.go‎
Lines changed: 19 additions & 8 deletions b/‎backend/options/options.go‎
Lines changed: 19 additions & 8 deletions
diff --git a/‎backend/options/session.go‎
Lines changed: 64 additions & 0 deletions b/‎backend/options/session.go‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎backend/server.go‎
Lines changed: 8 additions & 0 deletions b/‎backend/server.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎backend/session/redis.go‎
Lines changed: 131 additions & 0 deletions b/‎backend/session/redis.go‎
Lines changed: 131 additions & 0 deletions
@@ -118,7 +118,7 @@ func (ah *AuthHandler) HandleAuthorize(w http.ResponseWriter, r *http.Request) {
 		ah.respondWithError(w, authReq.ClientType, "failed to generate PKCE", http.StatusInternalServerError)
 		return
 	}
-	if err := ah.sessionStore.SavePKCEVerifier(authReq.SessionID, verifier); err != nil {
+	if err := ah.sessionStore.SavePKCEVerifier(r.Context(), authReq.SessionID, verifier); err != nil {
 		logger.Error(err, "failed to store PKCE verifier")
 		ah.respondWithError(w, authReq.ClientType, "failed to store PKCE verifier", http.StatusInternalServerError)
 		return
@@ -194,7 +194,7 @@ func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
 	}
 
-	verifier, err := ah.sessionStore.LoadAndDeletePKCEVerifier(authCode.SessionID)
+	verifier, err := ah.sessionStore.LoadAndDeletePKCEVerifier(r.Context(), authCode.SessionID)
 	if err != nil || verifier == "" {
 		logger.Error(err, "PKCE verifier not found for session; cannot exchange code", "sessionID", authCode.SessionID)
 		msg := "PKCE verifier not found. If you run multiple backend instances, use a shared session store (e.g. Redis) so the instance handling the callback can read the verifier stored at authorize time."
@@ -217,7 +217,7 @@ func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// Set session expiration and store in middleware
-	err = ah.sessionStore.Save(sessionState)
+	err = ah.sessionStore.Save(r.Context(), sessionState)
 	if err != nil {
 		logger.Error(err, "failed to save session state")
 		http.Error(w, "internal error", http.StatusInternalServerError)
 
@@ -182,7 +182,7 @@ func (am *AuthMiddleware) verifyState(next http.Handler) http.Handler {
 			return
 		}
 
-		if !am.isValidSession(state.SessionID) {
+		if !am.isValidSession(r.Context(), state.SessionID) {
 			logger.V(2).Info("Session expired or invalid", "sessionID", state.SessionID)
 			writeErrorResponse(w, http.StatusUnauthorized, kubebindv1alpha2.ErrorCodeAuthenticationFailed, "Authentication required", "Session has expired or is invalid")
 			return
@@ -197,8 +197,8 @@ func (am *AuthMiddleware) verifyState(next http.Handler) http.Handler {
 }
 
 // isValidSession checks if a session ID exists and hasn't expired
-func (am *AuthMiddleware) isValidSession(sessionID string) bool {
-	sessionInfo, err := am.sessionStore.Load(sessionID)
+func (am *AuthMiddleware) isValidSession(ctx context.Context, sessionID string) bool {
+	sessionInfo, err := am.sessionStore.Load(ctx, sessionID)
 	if err != nil {
 		return false
 	}
 
@@ -112,15 +112,14 @@ func NewHandler(
 	mgr *kubernetes.Manager,
 	frontend string,
 	tokenExpiry time.Duration,
+	sessionStore session.Store,
 ) (*handler, error) {
 	// Create JWT service for CLI authentication
 	jwtService, err := auth.NewJWTService("kube-bind-backend")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create JWT service: %w", err)
 	}
 
-	sessionStore := session.NewInMemoryStore()
-
 	// Create auth middleware for request authentication
 	authMiddleware := auth.NewAuthMiddleware(jwtService, cookieSigningKey, cookieEncryptionKey, mgr, sessionStore)
 
 
@@ -33,10 +33,11 @@ import (
 )
 
 type Options struct {
-	Logs   *logs.Options
-	OIDC   *OIDC
-	Cookie *Cookie
-	Serve  *Serve
+	Logs    *logs.Options
+	OIDC    *OIDC
+	Cookie  *Cookie
+	Serve   *Serve
+	Session *Session
 
 	ProviderKcp *providerkcp.Options
 
@@ -81,10 +82,11 @@ type ExtraOptions struct {
 }
 
 type completedOptions struct {
-	Logs   *logs.Options
-	OIDC   *OIDC
-	Cookie *Cookie
-	Serve  *Serve
+	Logs    *logs.Options
+	OIDC    *OIDC
+	Cookie  *Cookie
+	Serve   *Serve
+	Session *Session
 
 	// Provider specific options
 	ProviderKcp *providerkcp.CompletedOptions
@@ -106,6 +108,7 @@ func NewOptions() *Options {
 		OIDC:        NewOIDC(),
 		Cookie:      NewCookie(),
 		Serve:       NewServe(),
+		Session:     NewSession(),
 		ProviderKcp: providerkcp.NewOptions(),
 
 		ExtraOptions: ExtraOptions{
@@ -155,6 +158,7 @@ func (options *Options) AddFlags(fs *pflag.FlagSet) {
 	options.OIDC.AddFlags(fs)
 	options.Cookie.AddFlags(fs)
 	options.Serve.AddFlags(fs)
+	options.Session.AddFlags(fs)
 	options.ProviderKcp.AddFlags(fs)
 
 	fs.StringVar(&options.KubeConfig, "kubeconfig", options.KubeConfig, "path to a kubeconfig. Only required if out-of-cluster")
@@ -207,6 +211,9 @@ func (options *Options) Complete() (*CompletedOptions, error) {
 		if err := options.Cookie.Complete(); err != nil {
 			return nil, err
 		}
+		if err := options.Session.Complete(); err != nil {
+			return nil, err
+		}
 	}
 
 	// normalize the scope and the isolation
@@ -243,6 +250,7 @@ func (options *Options) Complete() (*CompletedOptions, error) {
 			OIDC:         options.OIDC,
 			Cookie:       options.Cookie,
 			Serve:        options.Serve,
+			Session:      options.Session,
 			ExtraOptions: options.ExtraOptions,
 		},
 	}
@@ -276,6 +284,9 @@ func (options *CompletedOptions) Validate() error {
 		if err := options.Cookie.Validate(); err != nil {
 			return err
 		}
+		if err := options.Session.Validate(); err != nil {
+			return err
+		}
 	}
 
 	if options.ConsumerScope != string(kubebindv1alpha2.NamespacedScope) && options.ConsumerScope != string(kubebindv1alpha2.ClusterScope) {
 
@@ -0,0 +1,64 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+)
+
+type SessionType string
+
+const (
+	SessionTypeInMemory SessionType = "inmemory"
+	SessionTypeRedis    SessionType = "redis"
+)
+
+type Session struct {
+	Type          SessionType
+	RedisAddress  string
+	RedisPassword string
+}
+
+func NewSession() *Session {
+	return &Session{
+		Type: SessionTypeInMemory,
+	}
+}
+
+func (options *Session) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar((*string)(&options.Type), "session-storage-backend", string(options.Type), "The session storage backend to use. Possible values are: 'inmemory', 'redis'")
+	fs.StringVar(&options.RedisAddress, "redis-addr", options.RedisAddress, "The redis address (e.g. localhost:6379) to connect to if session-storage-backend=redis")
+	fs.StringVar(&options.RedisPassword, "redis-password", options.RedisPassword, "The connection password to use if session-storage-backend=redis")
+}
+
+func (options *Session) Complete() error {
+	return nil
+}
+
+func (options *Session) Validate() error {
+	if options.Type != SessionTypeInMemory && options.Type != SessionTypeRedis {
+		return fmt.Errorf("unknown session storage backend %q, must be either 'inmemory' or 'redis'", options.Type)
+	}
+
+	if options.Type == SessionTypeRedis && options.RedisAddress == "" {
+		return fmt.Errorf("redis-addr must be specified when using session-storage-backend=redis")
+	}
+
+	return nil
+}
@@ -38,6 +38,8 @@ import (
 	"github.com/kube-bind/kube-bind/backend/controllers/servicenamespace"
 	http "github.com/kube-bind/kube-bind/backend/http"
 	kube "github.com/kube-bind/kube-bind/backend/kubernetes"
+	backendoptions "github.com/kube-bind/kube-bind/backend/options"
+	"github.com/kube-bind/kube-bind/backend/session"
 	kubebindv1alpha2 "github.com/kube-bind/kube-bind/sdk/apis/kubebind/v1alpha2"
 )
 
@@ -126,6 +128,11 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 			}
 		}
 
+		sessionStore := session.NewInMemoryStore()
+		if c.Options.Session.Type == backendoptions.SessionTypeRedis {
+			sessionStore = session.NewRedisStore(c.Options.Session.RedisAddress, c.Options.Session.RedisPassword)
+		}
+
 		handler, err := http.NewHandler(
 			s,
 			s.Config.Options.OIDC.OIDCServer,
@@ -140,6 +147,7 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 			s.Kubernetes,
 			c.Options.Frontend,
 			c.Options.TokenExpiry,
+			sessionStore,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("error setting up HTTP Handler: %w", err)
 
@@ -0,0 +1,131 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package session
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/redis/go-redis/v9"
+	"github.com/vmihailenco/msgpack/v4"
+	"k8s.io/klog/v2"
+)
+
+type RedisStore struct {
+	client *redis.Client
+}
+
+func NewRedisStore(redisAddr string, redisPassword string) Store {
+	client := redis.NewClient(&redis.Options{
+		Addr:     redisAddr,
+		Password: redisPassword,
+		DB:       0,
+	})
+
+	return &RedisStore{
+		client: client,
+	}
+}
+
+func (s *RedisStore) Save(ctx context.Context, state *State) error {
+	encoded, err := state.Encode()
+	if err != nil {
+		return fmt.Errorf("failed to encode state: %w", err)
+	}
+
+	key := fmt.Sprintf("session:%s", state.SessionID)
+
+	var ttl time.Duration = 0
+	if !state.ExpiresAt.IsZero() {
+		ttl = time.Until(state.ExpiresAt)
+		if ttl <= 0 {
+			klog.FromContext(context.Background()).V(4).Info("Session already expired, skipping saving to redis", "sessionID", state.SessionID)
+			return nil
+		}
+	}
+
+	err = s.client.Set(ctx, key, encoded, ttl).Err()
+	if err != nil {
+		return fmt.Errorf("failed to save session to redis: %w", err)
+	}
+	return nil
+}
+
+func (s *RedisStore) Load(ctx context.Context, sessionID string) (*State, error) {
+	key := fmt.Sprintf("session:%s", sessionID)
+
+	val, err := s.client.Get(ctx, key).Bytes()
+	if err != nil {
+		if errors.Is(err, redis.Nil) {
+			return nil, ErrSessionNotFound
+		}
+		return nil, fmt.Errorf("failed to load session from redis: %w", err)
+	}
+
+	var state State
+	err = msgpack.Unmarshal(val, &state)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode state from redis: %w", err)
+	}
+
+	return &state, nil
+}
+
+func (s *RedisStore) Delete(ctx context.Context, sessionID string) error {
+	key := fmt.Sprintf("session:%s", sessionID)
+	err := s.client.Del(ctx, key).Err()
+	if err != nil {
+		return fmt.Errorf("failed to delete session from redis: %w", err)
+	}
+	return nil
+}
+
+func (s *RedisStore) SavePKCEVerifier(ctx context.Context, sessionID, verifier string) error {
+	if sessionID == "" || verifier == "" {
+		return errors.New("sessionID and verifier cannot be empty")
+	}
+
+	key := fmt.Sprintf("pkce:%s", sessionID)
+
+	err := s.client.Set(ctx, key, verifier, 10*time.Minute).Err()
+	if err != nil {
+		return fmt.Errorf("failed to save pkce to redis: %w", err)
+	}
+	return nil
+}
+
+func (s *RedisStore) LoadAndDeletePKCEVerifier(ctx context.Context, sessionID string) (string, error) {
+	if sessionID == "" {
+		return "", ErrPKCEVerifierNotFound
+	}
+
+	key := fmt.Sprintf("pkce:%s", sessionID)
+
+	val, err := s.client.Get(ctx, key).Result()
+	if err != nil {
+		if errors.Is(err, redis.Nil) {
+			return "", ErrPKCEVerifierNotFound
+		}
+		return "", fmt.Errorf("failed to load pkce from redis: %w", err)
+	}
+
+	_ = s.client.Del(ctx, key).Err()
+
+	return val, nil
+}
Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ func (am *AuthMiddleware) verifyState(next http.Handler) http.Handler {`
`182`	`182`	`return`
`183`	`183`	`}`
`184`	`184`
`185`		`- if !am.isValidSession(state.SessionID) {`
	`185`	`+ if !am.isValidSession(r.Context(), state.SessionID) {`
`186`	`186`	`logger.V(2).Info("Session expired or invalid", "sessionID", state.SessionID)`
`187`	`187`	`writeErrorResponse(w, http.StatusUnauthorized, kubebindv1alpha2.ErrorCodeAuthenticationFailed, "Authentication required", "Session has expired or is invalid")`
`188`	`188`	`return`
`@@ -197,8 +197,8 @@ func (am *AuthMiddleware) verifyState(next http.Handler) http.Handler {`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`// isValidSession checks if a session ID exists and hasn't expired`
`200`		`-func (am *AuthMiddleware) isValidSession(sessionID string) bool {`
`201`		`- sessionInfo, err := am.sessionStore.Load(sessionID)`
	`200`	`+func (am *AuthMiddleware) isValidSession(ctx context.Context, sessionID string) bool {`
	`201`	`+ sessionInfo, err := am.sessionStore.Load(ctx, sessionID)`
`202`	`202`	`if err != nil {`
`203`	`203`	`return false`
`204`	`204`	`}`