EDM-2373: Support multiple authentication providers by celdrake · Pull Request #378 · flightctl/flightctl-ui

celdrake · 2025-11-18T13:09:57Z

Summary by CodeRabbit

New Features
- Full Authentication Providers UI: list, create, edit, details, delete, YAML view, per-item actions, and test-connection modal.
- Login UX: provider selector, provider-redirect flows, Kubernetes token form, and themed (dark/light) login layout.
- Settings shortcut in top navigation to manage providers.
Improvements
- Provider-driven login flow with clearer loading/error states and permission-gated actions.
- Expanded localization for authentication provider workflows.
Bug Fixes
- Alerts/auth handling refined (401 treated consistently for alerts/login flows).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

celdrake · 2025-11-18T13:11:09Z

-  // For 500/501 errors, return the status code for detection
-  if (response.status === 500 || response.status === 501) {
+  // The UI proxy should convert alert errors 401 to 501, but we guard against 401 here as well.
+  const isAlertsDisabled = response.status === 500 || response.status === 501 || response.status === 401;


Now rather than 401 we should be getting proper statusCode 403 when the user does not have permissions, but since it's a bit unstable I'd rather keep converting 401 to 501 and disabling alerts with 401.

celdrake · 2025-11-18T13:13:50Z

 }

-func getAAPAuthHandler(authURL string, internalAuthURL *string) (*AAPAuthHandler, error) {
+func getAAPAuthHandler(provider *v1alpha1.AuthProvider, aapSpec *v1alpha1.AapProviderSpec) (*AAPAuthHandler, error) {


aap is still WIP, the clientId should be retrieved from the config, etc.

celdrake · 2025-11-18T13:18:15Z

+
+const secretAppClientSecret = 'CLIENT-SECRET-1';
+
+const githubValues = {


I need to remove this, but it's just a quick way to fill in the details and start testing.

coderabbitai · 2025-11-19T12:20:45Z

Walkthrough

Adds a provider-driven authentication feature across frontend and backend: admin UI for managing auth providers (CRUD, test, details), provider-aware auth handlers with PKCE and token-data model changes, a test-connection endpoint, many new TS types/UI form helpers, YAML/editor and RBAC updates, and removal of two proxy config vars and their docs entries.

Changes

Cohort / File(s)	Summary
Configuration & proxy vars `CONFIGURATION.md`, `proxy/config/config.go`	Removed `INTERNAL_AUTH_URL` and `AUTH_CLIENT_ID` from documentation and proxy configuration.
Frontend login & routing `apps/standalone/src/app/components/Login/LoginPage.tsx`, `apps/standalone/src/app/components/Login/LoginPageLayout.tsx`, `apps/standalone/src/app/routes.tsx`, `apps/ocp-plugin/src/components/AppContext/AppContext.tsx`	Replaced token-centric login with provider-driven flows, added themed LoginPageLayout, provider selector and token form, redirect logic, new auth-provider routes and client-side auth redirects.
Auth context & client utils `apps/standalone/src/app/context/AuthContext.ts`, `apps/standalone/src/app/utils/apiCalls.ts`, `libs/ui-components/src/hooks/useAlertsEnabled.ts`, `apps/standalone/src/app/utils/apiCalls.ts`	Enhanced callback/user-info error handling; made redirectToLogin synchronous; unified alerts handling to treat 401 as "alerts disabled" alongside 500/501; changed 401 redirect behavior to always invoke redirectToLogin.
Admin UI — auth-provider feature `libs/ui-components/src/components/AuthProvider/`, `libs/ui-components/src/components/Login/`, `libs/ui-components/src/components/form/*`, `libs/ui-components/src/components/common/CodeEditor/YamlEditor.tsx`, `libs/ui-components/src/components/DetailsPage/DetailsPage.tsx`, `libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx`	Large new feature: list/create/edit/detail/YAML views, Formik forms with validation and patching, test-connection modal, delete modal, provider selector and token login form, ListItemField and other form helpers, Row/Table components, and UI text updates including "Authentication provider" label.
Create/edit form utils & hooks `libs/ui-components/src/components/AuthProvider/CreateAuthProvider/*`, `libs/ui-components/src/components/AuthProvider/useAuthProviders.ts`, `libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts`, `.../types.ts`	New form components, type guards, init/patch builders, JSON Patch generation, validation schema, role/org assignment UI and helpers, and periodic provider hook.
Types & models (TS) `libs/types/index.ts`, `libs/types/models/*` (many files)	Added many generated types (TokenRequest/TokenResponse/UserInfoResponse, OpenShiftProviderSpec, ApplicationPort/ApplicationResources/VolumeMount/ImageMount/MountVolume/VolumeMount), added AuthDynamicRoleAssignment.separator, removed K8sProviderSpec.externalOpenShiftApiUrl, appended AppType container member, and updated exports.
UI types, RBAC & utils `libs/ui-components/src/types/extraTypes.ts`, `libs/ui-components/src/types/rbac.ts`, `libs/ui-components/src/utils/*`, `libs/ui-components/src/utils/patch.ts`	Added DynamicAuthProviderSpec, ProviderType enum, isDynamicAuthProvider, AUTH_PROVIDER resource, getProviderDisplayName, JWT validator and nowInSeconds, and adjusted appendJSONPatch boolean handling.
Proxy auth refactor & handlers (Go) `proxy/auth/*.go` (auth.go, common.go, k8s.go, oidc.go, aap.go, openshift.go, oauth2.go, api_client.go)	Major refactor: provider-spec-driven auth handlers, PKCE support, TokenData (IDToken/AccessToken), provider resolution, backend API token-exchange client, new OAuth2/OpenShift handlers, changed method signatures for GetUserInfo/GetLoginRedirectURL and other flows; removed old oauth.go.
Proxy bridge, test endpoint & app `proxy/bridge/handler.go`, `proxy/bridge/testauth.go`, `proxy/app.go`	Added createAlertsReverseProxy (Alerts 401→501), clear-site-data on backend 401s, and registered `/test-auth-provider-connection` TestAuthHandler endpoint with discovery and endpoint reachability checks and SSRF protections.
Proxy middleware & routing tweaks `proxy/middleware/auth.go`, `proxy/middleware/organization.go`	Use TokenData.GetAuthToken() when injecting Authorization header; exclude auth config endpoint from org_id query injection.
Deps & i18n `proxy/go.mod`, `libs/i18n/locales/en/translation.json`	Bumped flightctl dependency; removed legacy token localization keys and added extensive auth-provider related translations and renaming ("Auth provider" → "Authentication provider").

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant FE as Frontend (Login)
    participant Proxy as Backend (proxy/auth)
    participant IDP as Identity Provider
    participant Test as TestAuthHandler

    User->>FE: GET /login
    FE->>Proxy: GET /api/auth/config
    Proxy-->>FE: list of providers

    alt Token (k8s) provider (direct token)
        User->>FE: submit token
        FE->>Proxy: POST /login?provider=k8s (token)
        Proxy-->>FE: session/token response
        FE->>User: redirect to /
    else OAuth/OIDC/OpenShift provider (PKCE)
        FE->>FE: generate PKCE (code_challenge, verifier)
        FE->>Proxy: request login redirect (state + code_challenge)
        Proxy->>IDP: redirect user to provider auth endpoint
        IDP-->>Proxy: callback with code & state
        Proxy->>Proxy: exchange code via backend/API server (PKCE)
        Proxy-->>FE: set session cookie / token data
        FE->>User: redirect to /
    end

    Note over User,Test: Admin tests provider connection
    User->>Test: POST /test-auth-provider-connection (config)
    Test->>Test: discovery & endpoint reachability checks (SSRF-safe)
    Test-->>User: field-level validation results

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Areas to focus during review:

proxy/auth/* — provider resolution, PKCE flows, TokenData changes, altered method signatures and API-client interactions.
proxy/bridge/testauth.go & bridge/handler.go — endpoint reachability checks, SSRF protections, alerts reverse-proxy behavior.
apps/standalone LoginPage and AuthContext — provider-driven login, state/code parsing, redirect behavior and error flows.
libs/ui-components AuthProvider create/edit utils/form validation and JSON patch generation, and new UI components wiring.

Possibly related PRs

EDM-696: Support AAP Oauth2 #209 — Overlapping backend/frontend authentication subsystem refactors (provider handlers, PKCE, token exchange).
Alerts follow-ups: reuse existing API functionality for retrieving alerts #332 — Related alerts handling changes (treating 401 as alerts-disabled / alerts fetch behavior).
EDM-1654: Show alerts in Overview page #330 — Alerts reverse-proxy and useAlertsEnabled hook changes tied to alerts 401→501 mapping.

Suggested reviewers

rawagner
fzdarsky

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.97% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately and concisely summarizes the primary change: adding support for multiple authentication providers across the codebase.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

proxy/auth/auth.go (1)
289-315: Token provider POST login ignores io.ReadAll errors

In the K8s token login branch:
body, err := io.ReadAll(r.Body)
err = json.Unmarshal(body, &loginParams)
if err != nil { ... }
If io.ReadAll fails, its error is discarded and only the unmarshal error is seen, which can hide I/O issues and potentially mis‑classify bad requests vs server problems. Consider the same pattern you already use in the non‑K8s branch:
- body, err := io.ReadAll(r.Body)
- err = json.Unmarshal(body, &loginParams)
- if err != nil {
+ body, err := io.ReadAll(r.Body)
+ if err != nil {
+   log.GetLogger().WithError(err).Warn("Failed to read request body")
+   w.WriteHeader(http.StatusBadRequest)
+   return
+ }
+ if err := json.Unmarshal(body, &loginParams); err != nil {
    log.GetLogger().WithError(err).Warn("Failed to unmarshal request body")
    w.WriteHeader(http.StatusBadRequest)
    return
  }
This keeps diagnostics consistent across branches.

♻️ Duplicate comments (4)

apps/ocp-plugin/src/utils/apiCalls.ts (1)

56-71: 401-as-disabled behavior is consistent with existing alerts handling

Treating 401 like 500/501 for alerts (returning Error('${response.status}')) aligns with the comment and existing pattern for signaling “alerts disabled” to callers. The special-case 404 handling is preserved, and all other statuses still go through getErrorMsgFromAlertsApiResponse, so behavior remains predictable.

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProviderForm.tsx (1)

32-56: Remove or behind-flag the hard-coded “test provider” presets before shipping

The blue‑bordered “Test provider” section plus githubValues/googleValues constants are clearly a temporary testing harness, including fake client IDs/secrets and canned org/role settings.

Leaving this in production:

Clutters the UX for real users.

Risks accidental use of placeholder config.

Conflicts with your own earlier note about removing it.

I’d either:

Strip this block and related constants entirely, or

Hide it behind a dev‑only flag (e.g., build‑time env) if you still need it locally.

Also applies to: 135-203
proxy/auth/aap.go (1)
53-105: AAP handler follows the new pattern but hard‑codes clientId, which should eventually come from config/spec

The AAP changes align with the other providers:

getAAPAuthHandler now derives URLs from AapProviderSpec (internal vs external) and builds both external and internal clients.

getClient enforces a non‑empty clientId and wires PKCE‑friendly osincli.ClientConfig.

GetToken, RefreshToken, GetLoginRedirectURL, and Logout all follow the shared patterns.

However, getAAPAuthHandler currently hard‑codes:
clientId := "flightctl-ui"
while comments and past reviews indicate this should eventually be sourced from configuration / CRD. Combined with getClientIdFromProviderConfig in auth.go still returning an error for ProviderTypeAAP, this leaves AAP in an incomplete, WIP state for the main login/refresh paths.

Non‑blocking for now if AAP isn’t exposed to users yet, but before enabling it in production you’ll want to:

Add a clientId field to the AAP provider spec or a dedicated config source.

Plumb that value into both getAAPAuthHandler and getClientIdFromProviderConfig.

Remove or adjust the hard‑coded "flightctl-ui" default.

Tagging as a duplicate of the earlier clientId comment so it stays on your radar.

Also applies to: 107-181
proxy/auth/auth.go (1)

53-151: Provider lookup / instantiation logic is solid, but AAP cannot yet participate in BFF token flows

The findProviderConfig + getProviderInstance pipeline is a good abstraction and the OpenShift vs vanilla K8s split via ExternalOpenShiftApiUrl is reasonable. One important gap:

getClientIdFromProviderConfig currently returns an error for ProviderTypeAAP and for non‑OpenShift K8s. Because Login (POST) and Refresh rely on getClientIdFromProviderConfig for all non‑K8s‑token providers, AAP providers effectively cannot use the new backend BFF token exchange at all; they will consistently hit the "AAP providers client_id needs to be retrieved" path and surface a 500.

If AAP isn’t meant to be enabled yet, that’s acceptable as an intentional limitation, but consider either:

Explicitly rejecting AAP providers at configuration time with a clearer message, or

Wiring ClientId from the AAP provider spec / config into getClientIdFromProviderConfig as soon as the backend surface is ready.

Otherwise the behavior is confusing: AAP looks like a first‑class provider type but is unusable in the main login/refresh paths.

🧹 Nitpick comments (43)

proxy/bridge/handler.go (1)
60-89: Refactor to eliminate code duplication and verify the 501 status code choice.

This function duplicates most of createReverseProxy. Consider extracting the common proxy setup logic and passing the 401 handling behavior as a parameter or callback.

Additionally, converting 401 to 501 "Not Implemented" may mislead clients and monitoring tools. The comment mentions "disabled", but 501 typically indicates unsupported HTTP methods, not disabled services.

Suggested refactor to reduce duplication:
+type responseModifier func(*http.Response) error
+
+func createReverseProxyWithModifier(apiURL string, modifier responseModifier) (*url.URL, *httputil.ReverseProxy) {
+	target, err := url.Parse(apiURL)
+	if err != nil {
+		log.GetLogger().WithError(err).Errorf("Failed to parse URL '%s'", apiURL)
+		os.Exit(1)
+	}
+	proxy := httputil.NewSingleHostReverseProxy(target)
+	proxy.ModifyResponse = func(r *http.Response) error {
+		filterHeaders := []string{
+			"Access-Control-Allow-Headers",
+			"Access-Control-Allow-Methods",
+			"Access-Control-Allow-Origin",
+			"Access-Control-Expose-Headers",
+		}
+		for _, h := range filterHeaders {
+			r.Header.Del(h)
+		}
+		
+		if modifier != nil {
+			return modifier(r)
+		}
+		return nil
+	}
+	return target, proxy
+}
+
 func createReverseProxy(apiURL string) (*url.URL, *httputil.ReverseProxy) {
-	target, err := url.Parse(apiURL)
-	if err != nil {
-		log.GetLogger().WithError(err).Errorf("Failed to parse URL '%s'", apiURL)
-		os.Exit(1)
-	}
-	proxy := httputil.NewSingleHostReverseProxy(target)
-	proxy.ModifyResponse = func(r *http.Response) error {
-		filterHeaders := []string{
-			"Access-Control-Allow-Headers",
-			"Access-Control-Allow-Methods",
-			"Access-Control-Allow-Origin",
-			"Access-Control-Expose-Headers",
-		}
-		for _, h := range filterHeaders {
-			r.Header.Del(h)
-		}
-
+	return createReverseProxyWithModifier(apiURL, func(r *http.Response) error {
 		// If the backend returns 401 Unauthorized, clear the session cookie
 		// This handles the case where the token in the cookie has expired
 		if r.StatusCode == http.StatusUnauthorized {
 			r.Header.Set("Clear-Site-Data", `"cookies"`)
 			log.GetLogger().Debug("Backend returned 401, clearing session cookies")
 		}
-
 		return nil
-	}
-	return target, proxy
+	})
 }
 
 func createAlertsReverseProxy(apiURL string) (*url.URL, *httputil.ReverseProxy) {
-	target, err := url.Parse(apiURL)
-	if err != nil {
-		log.GetLogger().WithError(err).Errorf("Failed to parse URL '%s'", apiURL)
-		os.Exit(1)
-	}
-	proxy := httputil.NewSingleHostReverseProxy(target)
-	proxy.ModifyResponse = func(r *http.Response) error {
-		filterHeaders := []string{
-			"Access-Control-Allow-Headers",
-			"Access-Control-Allow-Methods",
-			"Access-Control-Allow-Origin",
-			"Access-Control-Expose-Headers",
-		}
-		for _, h := range filterHeaders {
-			r.Header.Del(h)
-		}
-
+	return createReverseProxyWithModifier(apiURL, func(r *http.Response) error {
 		// For alerts API, we may sometimes receive 401 instead of 403.
 		// To prevent login out the user, we convert 401 to 501.
 		if r.StatusCode == http.StatusUnauthorized {
 			r.StatusCode = http.StatusNotImplemented
 			r.Status = "501 Not Implemented"
 			log.GetLogger().Debug("Alerts API returned 401, converting to 501 (disabled)")
 		}
-
 		return nil
-	}
-	return target, proxy
+	})
 }
Regarding the 501 status code:

Please verify that 501 "Not Implemented" is the appropriate choice. Consider these alternatives:

503 Service Unavailable if alerts are temporarily disabled

403 Forbidden if the user lacks permissions for alerts

404 Not Found if the alerts feature is completely disabled/unavailable

You may also want to check whether clients and monitoring systems correctly interpret this status code as "alerts disabled" rather than "server doesn't support this method."
libs/ui-components/src/components/form/NameField.tsx (1)

75-83: Disabled helper text wiring looks correct and non-breaking.

Plumbing helperText into the disabled path via DefaultHelperText is consistent with the existing Formik setup, avoids leaking helperText into TextInput via ...rest, and keeps the public NameFieldProps surface unchanged.

libs/ui-components/src/utils/patch.ts (1)

23-54: Boolean-safe JSON patch behavior is an improvement

Guarding the remove case with typeof newValue !== 'boolean' ensures boolean fields are never dropped when toggled to false, but are instead patched via add/replace, which is more intuitive for flags. One small follow-up you might consider is documenting (or asserting) that encodeB64 is only used for string values, since we now more often pass non-string newValue through this helper as well.

libs/types/models/AuthDynamicRoleAssignment.ts (1)

8-21: Separator field is useful, but consider regenerating from OpenAPI

Adding separator?: string (with the detailed JSDoc) matches the dynamic role semantics used elsewhere and should make UI code safer and clearer. Since this file is tagged as generated by openapi-typescript-codegen, it would be better long term to update the OpenAPI schema and regenerate types so this property doesn’t get lost on the next codegen run.

libs/ui-components/src/components/Login/TokenLoginForm.tsx (1)

33-99: Submit flow and error handling look solid; consider reusing shared utilities

The overall flow (clearing local storage, posting a trimmed token, parsing JSON/non‑JSON errors, setting an expiry, then redirecting) is clean and defensive. Two small follow-ups you might consider:

Reuse a shared nowInSeconds helper (and, if one exists elsewhere, a shared EXPIRATION storage key) instead of re‑defining them locally to avoid drift with other login flows.

If other callers rely on the same login?provider= endpoint, double‑check that proxyFetch sets the appropriate JSON Content-Type header so the backend can reliably parse { token }.

Neither is blocking, but they would help keep auth behavior consistent across providers.

libs/ui-components/src/components/form/ListItemField.tsx (1)

9-120: Harden ListItemField against undefined initial values and simplify async usage

Nice reusable component; the LabelGroup + EditableLabelControl pattern fits well. Two small robustness refactors to consider:

useField<string[]>(name) will give value as undefined if the form’s initialValues forget to initialize this field to []; items.map(...) would then throw. You could defensively normalize with something like const items = Array.isArray(field.value) ? field.value : []; to make the component safer in future forms.

updateItems, onDelete, onAdd, and onEdit are marked async and await setItems(...), but Formik’s setValue is synchronous and returns void. Dropping async/await here would simplify the code without changing behavior.

These are non-blocking refinements that make the component more resilient and clearer.
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts (1)
471-483: Consider avoiding then properties in Yup .when config to satisfy noThenProperty

Biome flags the then keys in the .when('roleAssignmentType', { is, then }) configs as suspicious. You can express the same logic using the function form of when, which avoids a then property entirely and keeps the intent clear.
-    roleClaimPath: Yup.array()
-      .of(Yup.string())
-      .when('roleAssignmentType', {
-        is: RoleAssignmentType.Dynamic,
-        then: (schema) => schema.min(1, t('At least one claim path segment is required for dynamic role assignment')),
-      }),
+    roleClaimPath: Yup.array()
+      .of(Yup.string())
+      .when('roleAssignmentType', (roleAssignmentType, schema) =>
+        roleAssignmentType === RoleAssignmentType.Dynamic
+          ? schema.min(1, t('At least one claim path segment is required for dynamic role assignment'))
+          : schema,
+      ),
@@
-    staticRoles: Yup.array()
-      .of(Yup.string())
-      .when('roleAssignmentType', {
-        is: RoleAssignmentType.Static,
-        then: (schema) => schema.min(1, t('At least one role is required for static role assignment')),
-      }),
+    staticRoles: Yup.array()
+      .of(Yup.string())
+      .when('roleAssignmentType', (roleAssignmentType, schema) =>
+        roleAssignmentType === RoleAssignmentType.Static
+          ? schema.min(1, t('At least one role is required for static role assignment'))
+          : schema,
+      ),
Please double-check against the Yup docs for your exact version to confirm the when builder signature.
proxy/auth/api_client.go (1)
217-227: Optional: fall back to sub when preferred_username is missing

Right now a missing preferred_username is treated as an error even if sub is present. Depending on backend behavior, it might be more robust to fall back to sub (or another stable identifier) instead of failing outright.
-	if userInfoResp.PreferredUsername == nil {
-		return "", fmt.Errorf("userinfo response missing preferred_username")
-	}
-
-	username := *userInfoResp.PreferredUsername
+	var username string
+	if userInfoResp.PreferredUsername != nil {
+		username = *userInfoResp.PreferredUsername
+	} else if userInfoResp.Sub != nil {
+		username = *userInfoResp.Sub
+	} else {
+		return "", fmt.Errorf("userinfo response missing preferred_username and sub")
+	}
libs/ui-components/src/components/AuthProvider/AuthProviderDetails/RoleAssigmentDetails.tsx (1)

14-15: Typo in component name (RoleAssigmentDetails vs RoleAssignmentDetails)

The component/file name is missing an “n” (“Assigment”). Not a functional issue, but it may cause minor confusion when searching the codebase.

If feasible, consider renaming the file and component to RoleAssignmentDetails and updating imports accordingly.

Also applies to: 53-53

proxy/middleware/auth.go (1)

17-21: Using GetAuthToken() and guarding on empty tokens is appropriate

Switching to tokenData.GetAuthToken() and only injecting the header when non-empty aligns this middleware with the new token abstraction.

As a minor tweak, you might prefer r.Header.Set(common.AuthHeaderKey, "Bearer "+token) instead of Add to avoid any chance of multiple Authorization headers if something upstream already set one.

apps/standalone/src/app/routes.tsx (2)

358-399: Auth gating is fine, but consider avoiding direct window access in render

The authentication gating logic is straightforward and correctly skips redirects when authEnabled is false or username is present. However, you might want to eventually:

Derive pathname from useLocation() instead of window.location to align with react-router and make testing easier.

Consider performing the redirect in an effect (useEffect) using the router’s navigation APIs instead of mutating window.location inside render, unless a full page reload is explicitly required.

This is non-blocking and can be deferred.

406-409: Duplicate /callback route definitions may be unnecessary

There is a top-level /callback route here and another /callback route returned from getAppRoutes. They currently redirect to different targets ('/' vs '/overview'). It’s worth double‑checking that you really need both and that the chosen redirect target is intentional for all callback flows; otherwise, consider consolidating to a single canonical /callback route.

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/Oauth2ProviderFields.tsx (1)

7-21: OAuth2 fields component is straightforward; consider tightening input semantics

The three required fields map cleanly to OAuth2ProviderSpec (authorizationUrl, tokenUrl, userinfoUrl) and use translations consistently. If TextField supports it, consider setting an appropriate type (e.g., "url") for these fields to get native browser validation and better UX around URL entry.
libs/ui-components/src/utils/k8sProvider.ts (1)
4-22: Tighten JWT format check and make K8s provider detection more robust

A few small edge cases worth considering here:

isValidJwtTokenFormat (Lines 4–12): the base64url regex ^[A-Za-z0-9_-]+$ will reject segments that include = padding. Some JWT libraries emit padded base64url; if you expect those, consider allowing = at the end, or document that this is intentionally strict.

nowInSeconds (Line 14): for epoch seconds, Math.floor(Date.now() / 1000) is more conventional and avoids rounding into the future by up to 0.5s, which can matter for expiry comparisons.

isK8sTokenProvider (Lines 16–21): the comment says OpenShift providers are providerType === K8s with externalOpenShiftApiUrl set and different from apiUrl. The current predicate (externalOpenShiftApiUrl === apiUrl) will return false for K8s providers where externalOpenShiftApiUrl is simply unset. If “plain K8s” is represented as externalOpenShiftApiUrl absent/empty, you may want something like:
export const isK8sTokenProvider = (provider: AuthProvider): boolean => {
  if (provider.spec.providerType !== ProviderType.K8s) {
    return false;
  }
  const { externalOpenShiftApiUrl, apiUrl } = provider.spec;
  // Treat as OpenShift only when an explicit, different external OCP URL is configured
  return !externalOpenShiftApiUrl || externalOpenShiftApiUrl === apiUrl;
};
Can you confirm how externalOpenShiftApiUrl is populated for non-OCP K8s providers and whether the undefined/empty case should be treated as a K8s token provider?
apps/standalone/src/app/components/Login/LoginPageLayout.tsx (1)

4-38: Consider reusing shared theme utility and guarding for non-browser environments

Two minor points here:

updateThemeClass duplicates the logic from libs/ui-components/src/hooks/useThemePreferences.ts. Since that helper is already exported and pure, you could import and reuse it instead of re-implementing, to keep theme handling consistent.

useBrowserTheme calls window.matchMedia and touches document.documentElement during render/effect. That’s fine for a purely browser-based app, but if this component is ever rendered in a non-DOM environment (SSR or certain tests), you may want quick guards around typeof window !== 'undefined' / typeof document !== 'undefined'.

Not blocking, but worth considering for consistency and resilience.

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthOrganizationAssignment.tsx (1)

11-99: Organization assignment logic looks solid; consider DRY’ing prefix/suffix fields

The three org-assignment modes (Static/Dynamic/Per user) are wired correctly to AuthProviderFormValues and the UX text is clear.

The only nit is the duplicated orgNamePrefix / orgNameSuffix FormGroups in the Dynamic and PerUser branches. If this section grows, you might want to extract a small helper component for the shared prefix/suffix fields to reduce repetition, but it’s not required for correctness.
apps/standalone/src/app/utils/apiCalls.ts (1)
58-60: 401 handling and alerts-disabled semantics: double-check for redirect loops and intent

A few behavioral points around the new 401 handling:

redirectToLogin (Lines 58–60) is now always called on 401 in handleApiJSONResponse (Lines 73–75), regardless of the current route. If any code on /login itself uses fetchData/fetchWithRetry and gets a 401 (e.g., a misconfigured public endpoint), this can result in a redirect loop. Consider restoring a simple guard:
if (response.status === 401 && window.location.pathname !== '/login') {
  redirectToLogin();
}
After redirectToLogin() you still throw new Error(...). The page will be navigating away anyway, so this error mainly adds noise to logs. If you want to avoid that, you could return Promise.reject() or early-return after redirect; otherwise it’s acceptable but a bit redundant.

In handleAlertsJSONResponse (Lines 90–94), treating 401 like 500/501 and surfacing it as “alerts disabled” is a reasonable defensive fallback, but it assumes any 401 from the alerts proxy should not trigger a login redirect. Given the earlier pattern for organizations (501 => disabled), it would be good to confirm with the backend/proxy contract that a real auth failure on alerts should never leak through as a bare 401 here.

If the intent is exactly as above, the implementation is fine; otherwise, a small tweak to separate “disabled” vs “unauthorized” cases might be warranted.

Also applies to: 73-75, 90-94
libs/ui-components/src/components/Login/ProviderSelector.tsx (1)
21-28: Tighten provider key generation and duplicate-name details logic

This component is generally well structured; a few small refinements would make it more robust:

Key generation (Lines 21–28): getProviderKey falls back to literal 'issuer' / 'clientId' when those fields don’t exist, so two non-OAuth2/OIDC providers with the same metadata.name will share the same React key. If possible, include something guaranteed unique, e.g. metadata.uid or a stable URL:
const getProviderKey = (provider: AuthProvider): string => {
  const name = provider.metadata.name as string;
  const issuerUrl = 'issuer' in provider.spec ? provider.spec.issuer : '';
  const clientId = 'clientId' in provider.spec ? provider.spec.clientId : '';
  const providerType = provider.spec.providerType;
  return `${providerType}-${name}-${issuerUrl}-${clientId}`;
};
Type narrowing for details (Lines 80–88): casting provider.spec as DynamicAuthProviderSpec is a bit misleading when a non-dynamic provider shares a display name; you’ll still hit this block, but those specs may not have authorizationUrl/issuer/clientId. You could instead use the existing type guard directly on the wider spec type:
const spec = provider.spec;
if (isOAuth2Provider(spec)) {
  details = spec.authorizationUrl || spec.clientId || '';
} else {
  details = 'issuer' in spec ? spec.issuer || spec.clientId || '' : spec.clientId || '';
}
Avoid empty <small> (Lines 80–82, 101): if details ends up as an empty string (e.g., non-dynamic provider), you still render <small>{details}</small>. Consider guarding on details:
{isDuplicateName && details && <small>{details}</small>}
These are all relatively small changes but will make duplicate handling and rendering more predictable.

Also applies to: 39-53, 76-104
libs/ui-components/src/components/common/PageNavigation.tsx (1)
64-108: Gate the Settings button on isAdmin to match RBAC intent

Right now:

shouldShowNavigation = showOrganizationSelection || isAdmin;

But the Settings cog is always rendered whenever the nav is shown.

That means a non‑admin user who just happens to have multiple organizations will see the “Settings” button and can navigate to the auth providers page, even if they don’t have update/create rights (backend should still block, but UX becomes confusing and exposes an entry point that looks admin‑only).

To align with the “isAdmin === canUpdate/create auth providers” intent from earlier discussion, consider wrapping the Settings toolbar item in an isAdmin check:
-                {showOrganizationSelection && (
+                {showOrganizationSelection && (
                   <ToolbarItem>
                     <OrganizationDropdown
                       organizationName={currentOrgDisplayName}
                       onSwitchOrganization={() => {
                         setShowOrganizationModal(true);
                       }}
                     />
                   </ToolbarItem>
                 )}
-                <ToolbarItem>
-                  <Tooltip content={t('Manage authentication providers')}>
-                    <Button
-                      variant="link"
-                      aria-label={t('Settings')}
-                      onClick={() => navigate(ROUTE.AUTH_PROVIDERS)}
-                      icon={<CogIcon />}
-                    >
-                      {t('Settings')}
-                    </Button>
-                  </Tooltip>
-                </ToolbarItem>
+                {isAdmin && (
+                  <ToolbarItem>
+                    <Tooltip content={t('Manage authentication providers')}>
+                      <Button
+                        variant="link"
+                        aria-label={t('Settings')}
+                        onClick={() => navigate(ROUTE.AUTH_PROVIDERS)}
+                        icon={<CogIcon />}
+                      >
+                        {t('Settings')}
+                      </Button>
+                    </Tooltip>
+                  </ToolbarItem>
+                )}
That keeps shouldShowNavigation behavior (single‑org admins still see the bar) while making the Settings control itself consistently admin‑only.
libs/ui-components/src/components/AuthProvider/AuthProviderDetails/DeleteAuthProviderModal.tsx (1)
16-90: Consider closing the modal automatically on successful delete

handleDelete currently:
await remove(`authproviders/${authProviderId}`);
onDeleteSuccess();
but never calls onClose. In the details page, onDeleteSuccess navigates away so the modal unmounts anyway, but in other potential callers (e.g. a list page that stays on the same route) it’s easy to forget to both refetch and explicitly close the modal.

You could make the component safer to reuse by closing on success:
  const handleDelete = async () => {
    setError(undefined);
    setIsLoading(true);
    try {
      await remove(`authproviders/${authProviderId}`);
-     onDeleteSuccess();
+     onDeleteSuccess();
+     onClose();
    } catch (e) {
      setError(getErrorMessage(e));
    } finally {
      setIsLoading(false);
    }
  };
This preserves current behavior on the details page (it will still navigate) while ensuring the modal always dismisses after a successful delete.
apps/standalone/src/app/components/Login/LoginPage.tsx (1)
50-53: Minor: clean up provider name interpolation string

The translation string has a trailing space and slightly inconsistent spacing around the variable ('{{ providerName}} '). Consider tightening it so localization doesn’t depend on incidental whitespace:
-          t('Failed to initiate login with {{ providerName}} ', {
+          t('Failed to initiate login with {{ providerName }}', {
             providerName: getProviderDisplayName(provider, t) || (provider.metadata.name as string),
           }),
apps/standalone/src/app/context/AuthContext.ts (1)

49-102: Callback and user‑info error handling is much more robust; consider centralizing response parsing

The changes around the /callback flow and /info handling look good:

Requiring both code and state before POSTing to ${loginAPI} avoids ambiguous or insecure callback handling.

Provider name extraction from state and passing the full encoded state through to the backend aligns with the documented state format and PKCE fallback comments.

For both the login POST and /info calls, you now try to extract a detailed error message from JSON or text responses and bail out early, which prevents later logic from running on failed auth.

One small clean‑up opportunity: the error‑body parsing logic for the 401 branch and the generic resp.status !== 200 branch is nearly identical. If you find yourself reusing this pattern in more places, it might be worth factoring into a small helper like async readErrorMessage(resp, defaultMessage) to keep the main control flow tighter.

Please verify that backend error payloads for ${loginAPI} and ${loginAPI}/info consistently use an { error?: string } shape (or plain text) so this parsing logic always yields meaningful messages.

Also applies to: 115-157, 166-169

libs/ui-components/src/components/AuthProvider/AuthProvidersPage.tsx (1)

63-76: Minor text polish for empty state

Two tiny text nits you might want to tidy up:

Title: “Add your first authentication providers” → “Add your first authentication provider”

Body: “Oauth2” → “OAuth2” for consistency with other labels.

This keeps the copy consistent and a bit more polished.
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProvider.tsx (1)
29-47: Create/edit flow and RBAC wrapper look correct; consider basing title on authProviderId

The create/edit page wiring looks good overall:

When authProviderId is present, you fetch details, show a spinner while loading, and surface errors inline via an Alert.

CreateAuthProviderForm gets the existing provider in edit mode and navigates back to the list or details on close/success.

CreateAuthProviderWithPermissions correctly checks CREATE vs PATCH via useAccessReview and wraps the inner component in PageWithPermissions.

One minor UX suggestion: the page title is currently driven by !!authProviderDetails, so if fetching an existing provider fails you’ll show “Add authentication provider” while the breadcrumb still includes the ID and an error alert explains that details couldn’t be retrieved. Basing the title on authProviderId instead would keep the edit vs create mode more semantically consistent even when the fetch fails.
-  let title: string;
-  if (!!authProviderDetails) {
-    title = t('Edit authentication provider');
-  } else {
-    title = t('Add authentication provider');
-  }
+  const title = authProviderId
+    ? t('Edit authentication provider')
+    : t('Add authentication provider');
Not critical, but it would make error states a bit clearer to users.

Also applies to: 55-88, 121-135
libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetailsTab.tsx (3)
49-56: Guard the DynamicAuthProviderSpec cast / orgAssignment access

authProvider.spec is force-cast to DynamicAuthProviderSpec, and organizationAssignment is accessed without checks. If a non-OIDC/OAuth2 provider ever reaches this component (e.g., k8s), this will blow up at runtime.

Consider either:

Narrowing the prop type to a dynamic provider-specific type, or

Adding a runtime guard on spec.providerType before casting/using organizationAssignment.

96-99: Use the human‑readable provider type label in the configuration title

The title uses spec.providerType directly, which will likely render raw enum values such as "oidc"/"oauth2":
{t('{{ providerType }} configuration', { providerType: spec.providerType })}
You already have getProviderTypeLabel; wiring that in here would keep the title consistent with the “Type” field:
- {t('{{ providerType }} configuration', { providerType: spec.providerType })}
+ {t('{{ providerType }} configuration', {
+   providerType: getProviderTypeLabel(spec.providerType, t),
+ })}
196-230: Defensive handling for orgAssignment.claimPath and optional org name prefix/suffix

For dynamic org assignment you assume orgAssignment.claimPath is always present:
{orgAssignment.type === OrgAssignmentType.Dynamic && (
  ...
  {orgAssignment.claimPath.map(...)}
)}
If the backend ever omits claimPath (or it’s accidentally null), this will throw. Same for organizationNamePrefix / organizationNameSuffix you later render as strings but default to 'N/A'.

Consider normalizing with safe defaults:
- {orgAssignment.claimPath.map((pathSegment, index) => (
+ {(orgAssignment.claimPath ?? []).map((pathSegment, index) => (
    <Label key={`${pathSegment}-${index}`}>{pathSegment}</Label>
  ))}
and similar ?? '' defaults where appropriate before rendering.
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProviderForm.tsx (3)
229-235: Clarify Client secret requiredness for OAuth2 PKCE vs confidential clients

Client secret is always marked isRequired in the UI:
<FormGroup label={t('Client secret')} isRequired>
  <TextField name="clientSecret" ... type="password" />
</FormGroup>
Given the new PKCE flows and support for public OAuth2 clients without a secret, this visual required marker may be misleading if the validation schema allows an empty secret for those cases.

Consider:

Tying isRequired to the same condition you use in authProviderSchema, or

Adjusting the label/helper text to “Required for confidential clients” if secrets are optional for some provider types.

282-315: Test connection payload may be too minimal (no client secret / scopes)

handleTestConnection only sends:
const requestBody = {
  providerType: values.providerType,
  issuer: values.issuer,
  authorizationUrl: values.authorizationUrl,
  tokenUrl: values.tokenUrl,
  userinfoUrl: values.userinfoUrl,
  clientId: values.clientId,
};
If the backend’s test-auth-provider-connection endpoint needs clientSecret and/or scopes to properly validate a configuration (especially for confidential clients), the test button could give false negatives or incomplete diagnostics.

It’s probably worth confirming the API contract and, if needed, extending the payload:
       clientId: values.clientId,
+      clientSecret: values.clientSecret,
+      scopes: values.scopes,
351-379: Edit flow passes stale authProvider to onSuccess

In the edit path you compute patches and send them, but on success you call:
await patch<AuthProvider>(`authproviders/${authProvider.metadata.name}`, patches);
onSuccess(authProvider);
This hands the caller the original object, not the updated resource or at least a locally updated copy. If callers rely on the returned AuthProvider for UI state, they’ll be out of sync with what the backend now has.

Consider either:

Using the response from patch (if it returns the updated resource), or

Manually merging values into authProvider before passing it to onSuccess.

Example:
- const updated = await patch<AuthProvider>(..., patches);
- onSuccess(authProvider);
+ const updated = await patch<AuthProvider>(..., patches);
+ onSuccess(updated);
(Adjust to match your patch helper’s return type.)
proxy/auth/oauth2.go (1)
26-56: PKCE‑only client config: verify behavior for confidential OAuth2 clients

getOAuth2AuthHandler enforces required fields and then builds an osin client with:
ClientSecret:             "",  // Not needed with PKCE for public clients
SendClientSecretInParams: false,
Scope:                    scope,
and never uses oauth2Spec.ClientSecret.

That’s perfect for pure PKCE/public clients, but if you intend to support confidential OAuth2 clients that do require a client secret, they’ll currently be misconfigured:

No secret is sent on token exchange.

There’s no early validation that a secret was erroneously provided.

I’d suggest either:

Explicitly scoping this handler to PKCE/public clients and rejecting specs that include a client secret, or

Extending the config to optionally include oauth2Spec.ClientSecret (and configuring osin accordingly) when your provider type indicates a confidential client.
proxy/auth/k8s.go (1)
27-32: Consider populating TokenData.Provider using providerName

You now capture providerName in TokenAuthProvider, but ValidateToken builds:
tokenData := TokenData{
	IDToken:      token,
	RefreshToken: "",
}
Given TokenData has a Provider field (and you’re moving toward multiple providers), setting it here would make downstream logic more robust:
tokenData := TokenData{
    IDToken:      token,
    RefreshToken: "",
+   Provider:     t.providerName,
}
If you don’t plan to use Provider for K8s flows, you could also drop the providerName field entirely to keep the struct minimal.

Also applies to: 78-85
proxy/auth/openshift.go (1)

35-98: OpenShift handler wiring is sound; consider future configurability and clearer naming

The handler follows the same PKCE / exchangeToken / refreshOAuthToken / loginRedirect patterns as the other providers, and the discovery‑based logout is a nice touch. A couple of non‑blocking points:

authURL (local var) is really the API server base URL and is then copied to apiServerURL, while the struct field authURL stores the authorize endpoint. Renaming the local variable or the struct field later would reduce confusion when debugging.

clientId and scope ("user:full") are currently hard‑coded. Once the CRD/spec grows fields for OpenShift client IDs and scopes, this function will be the place to thread them through instead of relying on the default service account and static scope.

No blockers from this file.

Also applies to: 100-169

proxy/auth/auth.go (3)

196-205: Customer‑token provider detection via *TokenAuthProvider is simple and effective

Using a concrete type check in isProviderWithCustomerToken cleanly separates K8s token providers (direct validation, no PKCE/BFF) from OAuth‑style providers, and it’s reused consistently in Login and Refresh. As long as we don’t introduce additional customer‑token provider types without extending this helper, this remains easy to reason about.

395-457: Refresh routing via provider type is correct; error responses could be slightly more consistent

The refresh handler correctly:

Short‑circuits when auth is disabled (Teapot) or session cookie parsing fails.

Requires a provider in the session, resolves it via getProviderInstance, and distinguishes customer‑token K8s providers (refresh unsupported) from OAuth‑style providers.

Requires a refresh token, resolves client_id from the provider config, and performs a backend /token refresh via exchangeTokenWithApiServer, translating the result into TokenData.

Functionally this is fine. The only small improvement would be to use respondWithError (with a message) instead of raw w.WriteHeader(http.StatusInternalServerError) in the error paths where provider resolution or client_id extraction fails, to keep responses uniform for callers.

608-645: getAuthInfo behavior is fine; log message is slightly misleading

getAuthInfo correctly:

Uses the API TLS config to GET /api/v1/auth/config.

Interprets HTTP 418 as “auth disabled” and returns (nil, nil) to signal that.

Propagates all other errors and unmarshals a valid AuthConfig JSON on success.

Minor nit: the log message "Failed to read terminal session response" is clearly copy‑pasted and should mention “auth config response” instead to avoid confusion when debugging.

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/types.ts (1)

1-96: Type guards and form model look consistent with backend contracts

This module is well‑structured:

OrgAssignmentType / RoleAssignmentType and the is* type guards correctly discriminate on the type field for the imported assignment/spec unions.

AuthProviderFormValues captures the key OIDC/OAuth2 fields plus org/role assignment data and maps cleanly onto what the backend types expose.

FieldValidation and FieldValidationResult mirror the Go structs in proxy/bridge/testauth.go (field names and optional notes/value), keeping the test‑connection pipeline strongly typed on both sides.

Only minor polish you might consider later: DEFAULT_USERNAME_CLAIM / DEFAULT_ROLE_CLAIM are flat strings while the corresponding form fields (usernameClaim, roleClaimPath) are string arrays; a tiny helper to convert those constants into path arrays (e.g. [DEFAULT_USERNAME_CLAIM]) would make the defaults plug‑and‑play.

proxy/auth/oidc.go (1)

37-124: OIDC handler refactor matches the new BFF/PKCE model; consider trimming unused internalAuthURL path

The OIDC handler now:

Validates Issuer and ClientId from OIDCProviderSpec.

Discovers endpoints via /.well-known/openid-configuration and builds clients with getOIDCClient, including dynamically built scopes (openid profile email plus organization:* when enabled).

Stores tokenEndpoint, clientId, and providerName on the handler and uses them in GetToken and GetLoginRedirectURL.

Defers user info to the API server via the same “GetUserInfo should be retrieved through the flightctl API” contract used by other providers.

Adds client_id to the logout URL, aligning with how the backend and IdPs typically expect end‑session requests.

Functionally this looks good and consistent with the rest of the refactor. The only minor clean‑up is that internalAuthURL is now always nil, so the branch that rebuilds endpoints via replaceBaseURL and re‑creates an external client is currently unreachable. If internal vs external OIDC endpoints are no longer supported, you could remove that code path to reduce cognitive load; otherwise, wiring internalAuthURL from spec when/if it appears again would make the behavior clearer.

Based on learnings

Also applies to: 146-206
proxy/auth/common.go (3)
335-343: Add a timeout to the HTTP client used for token exchange

The custom http.Client for the token exchange inherits the zero Timeout, so a slow or wedged token endpoint could hang a request indefinitely on this path.

Consider setting a reasonable timeout (e.g., 10–30 seconds, or reusing a shared client with standard timeouts) to keep the proxy responsive:
httpClient := &http.Client{
-    Transport: &http.Transport{
-        TLSClientConfig: tlsConfig,
-    },
+    Transport: &http.Transport{
+        TLSClientConfig: tlsConfig,
+    },
+    Timeout: 10 * time.Second,
}
691-751: PKCE verifier cookie handling is sound; consider scope and log level

Storing the code_verifier in an HttpOnly cookie with SameSite=Lax and a short MaxAge, and then clearing it with a MaxAge -1, is consistent with the redirect‑based PKCE flow. A couple of minor considerations:

getPKCEVerifierCookie logs a Warn when the cookie is missing or empty, but for the “fallback via state” path that can be an expected condition; using Debug for the missing‑cookie case would reduce noise.

Cookie Path = / is fine, but if only the callback endpoint needs it, narrowing the path could slightly reduce exposure in case of other endpoints or subapps reading cookies.

Neither is a blocker, just small polish items.

189-308: Remove unreachable reflection fallback; all call sites provide explicit config values

The reflection code (lines 203–275) that attempts to extract tokenURL, clientID, and redirectURI from osincli.Client.Config is never executed. All four call sites in openshift.go, oidc.go, oauth2.go, and aap.go pass explicit, non-empty values for these parameters, so the condition at line 203 is never true. Simplify exchangeToken() by removing the unused reflection fallback entirely and requiring explicit configuration, or remove the optional parameters altogether if they are always expected to be provided. This eliminates the brittle reflection dependency and clarifies intent.
proxy/bridge/testauth.go (2)
47-91: TestConnection handler structure is solid; consider minor hardening

The handler correctly:

Restricts to POST.

Validates JSON into TestConnectionRequest.

Constructs an http.Client with your tls.Config and a 10s timeout.

Dispatches by providerType and returns a JSON results array.

You might optionally handle json.NewEncoder(w).Encode(response) errors (e.g., log at Warn) to cover rare cases where the connection drops while writing, but behavior today is acceptable for this diagnostic endpoint.

93-225: OIDC discovery and endpoint checks are good; normalize issuer URL to avoid false mismatches

The OIDC branch does the right things: calls issuer/.well-known/openid-configuration, validates required endpoints, and then probes the discovered URLs.

One improvement: user‑supplied issuers often vary only by a trailing / compared to the discovery document. Today you:

Build discoveryUrl straight from req.Issuer.

Compare discovery.Issuer != req.Issuer and record a note, but don’t treat it as an error.

To reduce noisy notes and potential confusion, consider normalizing both values before comparison and when building the discovery URL:
- discoveryUrl := fmt.Sprintf("%s/.well-known/openid-configuration", req.Issuer)
+ issuer := strings.TrimRight(req.Issuer, "/")
+ discoveryUrl := fmt.Sprintf("%s/.well-known/openid-configuration", issuer)
...
- if discovery.Issuer != req.Issuer {
+ if strings.TrimRight(discovery.Issuer, "/") != issuer {
    issuerNotes = append(issuerNotes,
        fmt.Sprintf("Discovery document issuer (%s) does not match provided issuer (%s)", discovery.Issuer, req.Issuer))
}
This keeps the “issuer mismatch” note focused on genuinely different values instead of benign trailing slashes.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (3)

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts (2)

177-215: Wrap switch-case declarations in blocks to satisfy noSwitchDeclarations.

As noted in previous reviews, const declarations inside switch cases share lexical scope across cases, which violates noSwitchDeclarations. Wrap the case bodies that declare variables (aClaimPath, bClaimPath) in blocks.

Apply this diff:

   switch (a.type) {
     case OrgAssignmentType.Static:
       if (!isOrgAssignmentStatic(a) || !isOrgAssignmentStatic(b)) {
         return false;
       }
       return (a.organizationName || '') === (b.organizationName || '');
-    case OrgAssignmentType.Dynamic:
+    case OrgAssignmentType.Dynamic: {
       if (!isOrgAssignmentDynamic(a) || !isOrgAssignmentDynamic(b)) {
         return false;
       }
       const aClaimPath = a.claimPath || [];
       const bClaimPath = b.claimPath || [];
       if (aClaimPath.length !== bClaimPath.length) {
         return false;
       }
       if (!aClaimPath.every((val, idx) => val === bClaimPath[idx])) {
         return false;
       }
       return (
         (a.organizationNamePrefix || '') === (b.organizationNamePrefix || '') &&
         (a.organizationNameSuffix || '') === (b.organizationNameSuffix || '')
       );
+    }
     case OrgAssignmentType.PerUser:
       if (!isOrgAssignmentPerUser(a) || !isOrgAssignmentPerUser(b)) {
         return false;
       }
       return (
         (a.organizationNamePrefix || '') === (b.organizationNamePrefix || '') &&
         (a.organizationNameSuffix || '') === (b.organizationNameSuffix || '')
       );

221-255: Wrap switch-case declarations in blocks to satisfy noSwitchDeclarations.

As noted in previous reviews, wrap the case bodies that declare variables (aRoles, bRoles, aClaimPath, bClaimPath) in blocks to isolate their scope.

Apply this diff:

   switch (a.type) {
-    case RoleAssignmentType.Static:
+    case RoleAssignmentType.Static: {
       if (!isRoleAssignmentStatic(a) || !isRoleAssignmentStatic(b)) {
         return false;
       }
       const aRoles = a.roles || [];
       const bRoles = b.roles || [];
       if (aRoles.length !== bRoles.length) {
         return false;
       }
       // Compare roles arrays (order matters for roles)
       return aRoles.every((val, idx) => val === bRoles[idx]);
-    case RoleAssignmentType.Dynamic:
+    }
+    case RoleAssignmentType.Dynamic: {
       if (!isRoleAssignmentDynamic(a) || !isRoleAssignmentDynamic(b)) {
         return false;
       }
       const aClaimPath = a.claimPath || [];
       const bClaimPath = b.claimPath || [];
       if (aClaimPath.length !== bClaimPath.length) {
         return false;
       }
       // Compare claim path arrays (order matters)
       if (!aClaimPath.every((val, idx) => val === bClaimPath[idx])) {
         return false;
       }
       return (a.separator || DEFAULT_ROLE_SEPARATOR) === (b.separator || DEFAULT_ROLE_SEPARATOR);
+    }
     default:
       return false;
   }

apps/standalone/src/app/components/Login/LoginPage.tsx (1)

15-20: Add response validation and error handling to redirectToProviderLogin.

This concern was previously raised and remains unaddressed. The function doesn't validate the HTTP response status or check if the url field exists in the response body. On 4xx/5xx errors or malformed responses, the code will attempt to redirect to undefined, bypassing error handlers.

Apply this diff to add proper validation:
 const redirectToProviderLogin = async (provider: AuthProvider) => {
   // Backend generates PKCE parameters and stores code_verifier in a cookie
   const response = await fetch(`${loginAPI}?provider=${provider.metadata.name}`);
+
+  if (!response.ok) {
+    throw new Error(`Login redirect failed with status ${response.status}`);
+  }
+
-  const { url } = (await response.json()) as { url: string };
+  const { url } = (await response.json()) as { url?: string };
+  if (!url) {
+    throw new Error('Login redirect URL missing in response');
+  }
+
   window.location.href = url;
 };

🧹 Nitpick comments (4)

libs/ui-components/src/utils/k8sProvider.ts (1)
11-11: Prefer Math.floor() for Unix timestamps.

Using Math.round() can produce timestamps up to 0.5 seconds in the future, which may cause edge-case issues with JWT validation (e.g., token appears issued before it actually was). Math.floor() is the conventional choice for Unix timestamps.

Apply this diff:
-export const nowInSeconds = () => Math.round(Date.now() / 1000);
+export const nowInSeconds = () => Math.floor(Date.now() / 1000);
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts (2)
100-101: Consider adding a fallback for organizationName.

For consistency with line 150 in getOrgAssignment, which uses values.orgName || '', consider adding a fallback here to handle potential undefined values defensively.

Apply this diff:
   } else {
     orgAssignmentType = OrgAssignmentType.Static;
-    orgName = orgAssignment.organizationName;
+    orgName = orgAssignment.organizationName || '';
   }
257-272: Remove unnecessary type assertions.

AuthStaticRoleAssignment and AuthDynamicRoleAssignment are already subtypes of AuthRoleAssignment, so the explicit casts on lines 263 and 270 are unnecessary.

Apply this diff:
   if (values.roleAssignmentType === RoleAssignmentType.Static) {
     const staticAssignment: AuthStaticRoleAssignment = {
       type: RoleAssignmentType.Static,
       roles: values.staticRoles || [],
     };
-    return staticAssignment as AuthRoleAssignment;
+    return staticAssignment;
   } else {
     const dynamicAssignment: AuthDynamicRoleAssignment = {
       type: RoleAssignmentType.Dynamic,
       claimPath: values.roleClaimPath || [],
       separator: values.roleSeparator || DEFAULT_ROLE_SEPARATOR,
     };
-    return dynamicAssignment as AuthRoleAssignment;
+    return dynamicAssignment;
   }
proxy/auth/common.go (1)

190-309: Consider refactoring reflection-based config extraction.

The reflection code (lines 203-276 for config fields, 278-309 for TLS) extracts internal osincli.Client configuration. While functional, this approach is fragile:

Breaks if osincli changes internal field names or structure

The code tries both Config and config, TokenUrl and tokenUrl to handle variations

Relies on unexported fields

Consider requesting these values as explicit parameters to exchangeToken from all call sites, or wrapping osincli.Client in an interface with accessor methods.

The sensitive logging on lines 322-368 has already been flagged and acknowledged as temporary for debugging.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b11e3fa and 6f78b5e.

⛔ Files ignored due to path filters (1)

proxy/go.sum is excluded by !**/*.sum

📒 Files selected for processing (22)

apps/standalone/src/app/components/Login/LoginPage.tsx (1 hunks)
libs/types/index.ts (4 hunks)
libs/types/models/AppType.ts (1 hunks)
libs/types/models/ApplicationPort.ts (1 hunks)
libs/types/models/ApplicationResourceLimits.ts (1 hunks)
libs/types/models/ApplicationResources.ts (1 hunks)
libs/types/models/ApplicationVolume.ts (1 hunks)
libs/types/models/AuthProviderSpec.ts (1 hunks)
libs/types/models/ImageApplicationProviderSpec.ts (1 hunks)
libs/types/models/ImageMountVolumeProviderSpec.ts (1 hunks)
libs/types/models/K8sProviderSpec.ts (0 hunks)
libs/types/models/MountVolumeProviderSpec.ts (1 hunks)
libs/types/models/OpenShiftProviderSpec.ts (1 hunks)
libs/types/models/VolumeMount.ts (1 hunks)
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/RoleAssignmentSection.tsx (1 hunks)
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts (1 hunks)
libs/ui-components/src/utils/k8sProvider.ts (1 hunks)
proxy/auth/api_client.go (1 hunks)
proxy/auth/auth.go (7 hunks)
proxy/auth/common.go (3 hunks)
proxy/auth/openshift.go (1 hunks)
proxy/go.mod (1 hunks)

💤 Files with no reviewable changes (1)

libs/types/models/K8sProviderSpec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/RoleAssignmentSection.tsx

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 371
File: libs/types/models/AppType.ts:10-10
Timestamp: 2025-10-29T16:47:29.614Z
Learning: PR #371 (flightctl/flightctl-ui) adds the AppTypeQuadlet enum member and related types as a preparatory change. Full implementation of quadlet application support in the UI will be added later, after backend support is available.

📚 Learning: 2025-11-20T07:33:34.630Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 378
File: libs/ui-components/src/utils/authProvider.ts:5-18
Timestamp: 2025-11-20T07:33:34.630Z
Learning: In the flightctl-ui repository, for AuthProvider objects, the metadata.name field is always present at runtime as it serves as the ID of the authprovider. The OpenAPI schema incorrectly defines it as optional (name?: string in ObjectMeta), but the type assertion `as string` is appropriate when accessing provider.metadata.name since it's guaranteed to exist.

Applied to files:

libs/types/models/AuthProviderSpec.ts
libs/types/models/OpenShiftProviderSpec.ts
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts

📚 Learning: 2025-10-10T11:35:04.458Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 0
File: :0-0
Timestamp: 2025-10-10T11:35:04.458Z
Learning: In the flightctl-ui repository, TypeScript types are generated using hey-api/openapi-ts and output to a single index.ts file (previously used openapi-typescript-codegen with one file per type under /libs/types/models).

Applied to files:

libs/types/models/OpenShiftProviderSpec.ts
libs/types/index.ts

📚 Learning: 2025-10-29T16:47:29.614Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 371
File: libs/types/models/AppType.ts:10-10
Timestamp: 2025-10-29T16:47:29.614Z
Learning: PR #371 (flightctl/flightctl-ui) adds the AppTypeQuadlet enum member and related types as a preparatory change. Full implementation of quadlet application support in the UI will be added later, after backend support is available.

Applied to files:

libs/types/models/AppType.ts
libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts
proxy/auth/api_client.go
proxy/auth/common.go

📚 Learning: 2025-03-24T12:33:54.002Z

Learnt from: rawagner
Repo: flightctl/flightctl-ui PR: 209
File: proxy/auth/oidc.go:17-19
Timestamp: 2025-03-24T12:33:54.002Z
Learning: OIDC (OpenID Connect) providers return usernames in the `preferred_username` field, as implemented in the OIDCUserInfo struct in proxy/auth/oidc.go.

Applied to files:

proxy/auth/auth.go
proxy/auth/common.go

📚 Learning: 2025-02-17T08:41:57.993Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 0
File: :0-0
Timestamp: 2025-02-17T08:41:57.993Z
Learning: All files in `libs/types/models` are auto-generated using OpenAPI Generator from the schema defined in https://github.com/flightctl/flightctl/blob/main/api/v1alpha1/openapi.yaml. Changes to these files should be made in the schema instead of modifying the generated files directly.

Applied to files:

libs/types/index.ts
proxy/auth/api_client.go
proxy/go.mod

📚 Learning: 2025-03-20T12:34:33.199Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 240
File: libs/types/models/FileSpec.ts:8-8
Timestamp: 2025-03-20T12:34:33.199Z
Learning: Files in the types directory are autogenerated from the OpenAPI spec in the flightctl project and should not be directly modified.

Applied to files:

proxy/auth/api_client.go

📚 Learning: 2025-06-04T06:41:15.969Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 308
File: libs/ui-components/src/components/Device/EditDeviceWizard/deviceSpecUtils.ts:204-204
Timestamp: 2025-06-04T06:41:15.969Z
Learning: In the flightctl-ui codebase, volume functionality is not yet implemented in the backend. TODO comments related to volume preservation (like in toAPIApplication function) are intentional placeholders for when backend volume support is added.

Applied to files:

proxy/auth/api_client.go

📚 Learning: 2025-10-21T13:53:29.934Z

Learnt from: celdrake
Repo: flightctl/flightctl-ui PR: 357
File: proxy/auth/auth.go:228-237
Timestamp: 2025-10-21T13:53:29.934Z
Learning: In proxy/auth/auth.go, the token cleanup cycles in `startTokenCleanup` and `cleanupExpiredTokens` are designed for memory management of unretrieved tokens, not as a primary security control. The single-use deletion in `getSingleUseApiTokenMapping` provides the security guarantee. TTL enforcement on retrieval is intentionally not implemented because tokens are expected to be retrieved immediately after creation.

Applied to files:

proxy/auth/api_client.go

🧬 Code graph analysis (16)

libs/types/models/MountVolumeProviderSpec.ts (1)

libs/types/models/VolumeMount.ts (1)

VolumeMount (8-13)

libs/types/models/AuthProviderSpec.ts (2)

libs/types/index.ts (1)

OpenShiftProviderSpec (143-143)

libs/types/models/OpenShiftProviderSpec.ts (1)

OpenShiftProviderSpec (8-49)

libs/types/models/ImageMountVolumeProviderSpec.ts (1)

libs/types/models/VolumeMount.ts (1)

VolumeMount (8-13)

libs/types/models/VolumeMount.ts (1)

libs/types/index.ts (1)

VolumeMount (187-187)

libs/types/models/ApplicationPort.ts (1)

libs/types/index.ts (1)

ApplicationPort (10-10)

apps/standalone/src/app/components/Login/LoginPage.tsx (4)

libs/types/models/AuthProvider.ts (1)

AuthProvider (10-21)

apps/standalone/src/app/utils/apiCalls.ts (1)

loginAPI (17-17)

libs/ui-components/src/utils/authProvider.ts (1)

getProviderDisplayName (5-18)

libs/types/models/AuthConfig.ts (1)

AuthConfig (6-23)

libs/types/models/OpenShiftProviderSpec.ts (1)

libs/types/index.ts (1)

OpenShiftProviderSpec (143-143)

libs/types/models/ApplicationResources.ts (2)

libs/types/index.ts (2)

ApplicationResources (13-13)

ApplicationResourceLimits (12-12)

libs/types/models/ApplicationResourceLimits.ts (1)

ApplicationResourceLimits (8-17)

libs/types/models/ApplicationVolume.ts (1)

libs/types/models/ImageVolumeProviderSpec.ts (1)

ImageVolumeProviderSpec (6-8)

libs/types/models/ApplicationResourceLimits.ts (1)

libs/types/index.ts (1)

ApplicationResourceLimits (12-12)

proxy/auth/auth.go (5)

proxy/auth/common.go (8)

AuthProvider (70-76)

ProviderTypeOpenShift (31-31)

ProviderTypeK8s (27-27)

ProviderTypeOIDC (28-28)

ProviderTypeAAP (29-29)

ProviderTypeOAuth2 (30-30)

LoginParameters (65-68)

ParseSessionCookie (95-120)

proxy/auth/k8s.go (2)

TokenAuthProvider (17-21)

TokenLoginParameters (23-25)

proxy/config/config.go (1)

BaseUiUrl (16-16)

libs/types/models/TokenRequest.ts (1)

TokenRequest (8-37)

libs/types/models/TokenResponse.ts (1)

TokenResponse (8-33)

libs/types/models/ImageApplicationProviderSpec.ts (3)

libs/types/models/ApplicationVolumeProviderSpec.ts (1)

ApplicationVolumeProviderSpec (6-11)

libs/types/models/ApplicationPort.ts (1)

ApplicationPort (8-8)

libs/types/models/ApplicationResources.ts (1)

ApplicationResources (9-11)

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts (5)

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/types.ts (8)

AuthProviderFormValues (56-82)

DEFAULT_ROLE_SEPARATOR (23-23)

isOrgAssignmentDynamic (35-37)

isOrgAssignmentPerUser (39-41)

isRoleAssignmentStatic (48-50)

isRoleAssignmentDynamic (52-54)

isOAuth2Provider (28-29)

isOrgAssignmentStatic (31-33)

libs/ui-components/src/types/extraTypes.ts (1)

DynamicAuthProviderSpec (82-82)

libs/types/models/AuthDynamicRoleAssignment.ts (1)

AuthDynamicRoleAssignment (8-21)

libs/ui-components/src/utils/patch.ts (1)

appendJSONPatch (23-54)

libs/ui-components/src/components/form/validations.ts (1)

validKubernetesDnsSubdomain (151-166)

proxy/auth/api_client.go (7)

libs/types/models/TokenRequest.ts (1)

TokenRequest (8-37)

libs/types/models/TokenResponse.ts (1)

TokenResponse (8-33)

proxy/config/config.go (1)

FctlApiUrl (10-10)

proxy/log/log.go (1)

GetLogger (17-19)

proxy/auth/auth.go (1)

UserInfoResponse (19-21)

libs/types/models/UserInfoResponse.ts (1)

UserInfoResponse (9-30)

proxy/auth/common.go (1)

TokenData (40-55)

proxy/auth/openshift.go (5)

proxy/auth/common.go (3)

AuthProvider (70-76)

LoginParameters (65-68)

TokenData (40-55)

libs/types/models/OpenShiftProviderSpec.ts (1)

OpenShiftProviderSpec (8-49)

proxy/bridge/common.go (1)

GetAuthTlsConfig (40-65)

proxy/config/config.go (1)

BaseUiUrl (16-16)

proxy/log/log.go (1)

GetLogger (17-19)

proxy/auth/common.go (2)

proxy/log/log.go (1)

GetLogger (17-19)

proxy/config/config.go (2)

BaseUiUrl (16-16)

TlsCertPath (15-15)

🪛 Biome (2.1.2)

libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts

[error] 192-192: Other switch clauses can erroneously access this declaration.
Wrap the declaration in a block to restrict its access to the switch clause.

The declaration is defined in this switch clause: