Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MFA Login with plugin without Browser #950

Open
ghost opened this issue Jun 22, 2023 · 4 comments
Open

MFA Login with plugin without Browser #950

ghost opened this issue Jun 22, 2023 · 4 comments
Labels
question Further information is requested

Comments

@ghost
Copy link

ghost commented Jun 22, 2023

Describe the question

When setting --username in kubeconfig, there is no Browser opening keycloak for asking username and password, just asking in terminale directly. Thats very nice. When the user has mfa configured in keycloak, he has to login with otp. But then the login with the username option in kubeconfig does not work anymore (error see next line). Is there an option, so that the otp will be asked on bash?
error: {"error":"invalid_grant","error_description":"Invalid user credentials"}

To reproduce

  • first kubectl command of the day e.g. kubectl get pods
  • kubeconfig has configured `--username´
  • Browser is not opening, you just type password in bash console

Your environment

  • OS: fedora 37
  • kubelogin version: kubelogin version v1.27.0
  • kubectl version: e.g. v1.27
  • OpenID Connect provider: keycloak 21
@ghost ghost added the question Further information is requested label Jun 22, 2023
@igurleen911
Copy link

@dhorstmann were you able to resolve this issue?

@ghost
Copy link
Author

ghost commented Nov 20, 2023

@dhorstmann were you able to resolve this issue?

Nope.

@jsalatiel
Copy link

jsalatiel commented Nov 8, 2024

I have forked this and added support to asking for OTP.

Just add this to your .kube/config

users:
    - name: kubernetes-admin
      user:
        exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            args:
                - oidc-login
                - get-token
                - --oidc-issuer-url=https://keycloak/auth/realms/master
                - --oidc-client-id=yourclientid
                - --grant-type=password
            command: kubectl
            env: null
            interactiveMode: IfAvailable
            provideClusterInfo: false

and you will get something like this:

image

Just clone from my fork and build it if you want.

@reski-rukmantiyo
Copy link

yourclientid
- --grant-type=password

Thanks @jsalatiel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants