Skip to content

fix(headlamp): set config.oidc.useCookie=true#20

Merged
xnoto merged 1 commit intomainfrom
fix/headlamp-oidc-use-cookie
Apr 30, 2026
Merged

fix(headlamp): set config.oidc.useCookie=true#20
xnoto merged 1 commit intomainfrom
fix/headlamp-oidc-use-cookie

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Headlamp's default OIDC popup flow uses `window.opener.postMessage` to deliver the auth result back to the parent window. State drops on cross-origin redirects (Headlamp → Dex → GitHub → Dex → Headlamp), so the popup closes without the parent ever seeing the token, and the user gets re-prompted indefinitely.

`config.oidc.useCookie: true` flips the chart to add the `-oidc-use-cookie` arg, which stores the auth session server-side, keyed off a cookie set during the callback. The parent picks it up via a normal fetch, no postMessage needed.

Test plan

🤖 Generated with Claude Code

@xnoto
fix(headlamp): set config.oidc.useCookie=true for popup auth flow
37fff8e 
Headlamp's default OIDC popup uses window.opener postMessage to deliver
the auth result to the parent. State drops on cross-origin redirects
(Headlamp -> Dex -> GitHub -> Dex -> Headlamp), so the popup closes
without the parent ever seeing the token, and the user gets re-prompted.

Switching to useCookie stores the auth session server-side, keyed off a
cookie set during the callback. The parent picks it up via a regular
fetch, no postMessage needed.
@xnoto xnoto self-assigned this Apr 30, 2026
@xnoto xnoto merged commit cdc944a into main Apr 30, 2026
1 check passed
@xnoto xnoto deleted the fix/headlamp-oidc-use-cookie branch April 30, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xnoto xnoto

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto