Support lakectl login: client, controller stub

[arielshaqed]

Add support for lakectl login:

• Client support in lakectl.
• Stub support in the controller.

In order actually to use this code, however, you will need an implementation of a LoginTokenProvider. Currently only lakeFS Enterprise provides this.

Closes treeverse/lakefs-enterprise#1194, treeverse/lakefs-enterprise#1196.

[github-actions]

📚 Documentation preview at https://pr-9644.docs-lakefs-preview.io/

(Updated: 11/23/2025, 12:14:48 PM - Commit: 6760013)

[Copilot]

Pull Request Overview

This PR introduces browser-based token authentication functionality for lakeFS, enabling users to log in via a web browser and obtain authentication tokens without requiring manual credential input.

Key changes:

• Implements a new login token provider interface and three new API endpoints for browser-based authentication flow
• Adds a new lakectl login command that opens a browser for authentication
• Refactors HTTP header setting by introducing a KeepPrivate() utility function for security headers

Reviewed Changes

Copilot reviewed 39 out of 44 changed files in this pull request and generated 25 comments.

Show a summary per file

File	Description
pkg/authentication/tokens.go	Defines the LoginTokenProvider interface for browser-based token authentication
pkg/authentication/internalidp/jwt_auth.go	Implements JWT authentication client for login token flow
pkg/api/controller.go	Adds three new controller methods for the token authentication endpoints and refactors security headers
pkg/httputil/response.go	Introduces KeepPrivate() helper function to set security headers
modules/authentication/factory/login_token.go	Provides unimplemented login token provider factory
cmd/lakectl/cmd/login.go	Implements new lakectl login command for browser-based authentication
cmd/lakectl/cmd/root.go	Adds JWT authentication support and login retry configuration
cmd/lakectl/cmd/retry_client.go	Refactors retry logic to be more configurable
go.mod, go.sum	Updates dependencies (deckarep/golang-set, matoous/go-nanoid, elnormous/contenttype)
api/swagger.yml	Defines OpenAPI specification for the three new authentication endpoints
docs/src/reference/cli.md, esti/golden/lakectl_help.golden	Adds documentation for the new login command
clients/*	Auto-generated client code for Rust, Python, and Java SDKs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Double period at the end of the comment. Should be a single period.

[arielshaqed]

True, thanks!

[Copilot]

The Content-Type header should be set in addition to the other security headers, not replaced by KeepPrivate(). The usage report endpoint expects text/plain; charset=utf-8 content type which is now missing.

[arielshaqed]

True, thanks!

[Copilot]

The WriteHeader call should come before writing the response body, not after. The template execution writes to the response, so WriteHeader should be called before ExecuteTemplate.

[arielshaqed]

True, thanks!

[Copilot]

Test is always false.

Suggested change

	} else if ( localBasePaths.length > 0 ) {
	basePath = localBasePaths[localHostIndex];

[Copilot]

Test is always false.

Suggested change

	} else if ( localBasePaths.length > 0 ) {
	basePath = localBasePaths[localHostIndex];

[Copilot]

Modification of the locals() dictionary will have no effect on the local variables.

[Copilot]

Modification of the locals() dictionary will have no effect on the local variables.

[Copilot]

Modification of the locals() dictionary will have no effect on the local variables.

[Copilot]

Modification of the locals() dictionary will have no effect on the local variables.

[Copilot]

Modification of the locals() dictionary will have no effect on the local variables.

[arielshaqed]

Thanks!

PTAL...

[arielshaqed]

True, thanks!

[arielshaqed]

True, thanks!

[arielshaqed]

True, thanks!

[Isan-Rivkin]

Suggestion:

Instead of /auth/login i think you should use whatever the ui uses to login.

Why now:

because lakectl login means user don't have credentials, taking them to /auth/login page specifically will enable using static credentials but that's the problem: they don't have them.
If we redirect to login flow of the browser users then it will actually enable SSO.

How

• Use the same value for login url we pass to the ui (returned under setup_lakefs GET endpoitn in the UI) and that's the path the ui will use to redirect to login page.

[arielshaqed]

True, that's always at least as good, and in any nontrivial configuration it should be even better.

Confusingly, the config option with this default value is ui_config.logout_redirect_url 🤦🏽 , and ui_config.login_url is usually blank. Contacting you directly to decide which really to do, and for now doing ui_config.login_url if set, otherwise /auth/login.

[Isan-Rivkin]

Blocking:
I think this is broken in case the user not already logged in.

For example try:

1. logout in browser
2. call lakectl login
3. browser pops-up > insert correct credentials
4. user redirected to /auth/login but is never going to next
5. lakectl keeps polling and fails eventually

Another example is simply copy the lakectl url and use in incognito mode, same result.

[arielshaqed]

Thanks for a very thorough review! Each comment could break login in some cases :-/ . Indeed cb3411490 fixes a breakage that was introduced in #9593 😿

PTAL.

[arielshaqed]

True, that's always at least as good, and in any nontrivial configuration it should be even better.

Confusingly, the config option with this default value is ui_config.logout_redirect_url 🤦🏽 , and ui_config.login_url is usually blank. Contacting you directly to decide which really to do, and for now doing ui_config.login_url if set, otherwise /auth/login.

[arielshaqed]

• @Annaseli ! Thanks for your help doing cb34114. Could you please review that commit? Of course I'd be very happy for you to review the rest of the PR, too.

[Annaseli]

• @Annaseli ! Thanks for your help doing cb34114. Could you please review that commit? Of course I'd be very happy for you to review the rest of the PR, too.

@arielshaqed
sure, i'll review it a bit later today

[Isan-Rivkin]

tested together f2f, asking for changes so that i get notified

[Isan-Rivkin]

LGTM! Thanks!

[arielshaqed]

Thanks!

I retested against an Enterprise version:

• With local auth
• With SAML (keycloak)

We will verify OIDC later, as agreed. PULLING, thanks for the great reviews!

[Annaseli]

Do you also need the 404 case here?

[Annaseli]

Do you also need the 404 case here?

[Annaseli]

I figured out the OIDC redirection issue we were seeing.
The code that works for me is:

redirectURL := url.URL{
    Path:     "/auth/login",
    RawQuery: fmt.Sprintf("redirected=true&next=%s", url.QueryEscape(r.URL.String())),
}

instead of:

redirectURL, err := url.Parse(c.Config.AuthConfig().GetLoginURL())
if c.handleAPIError(ctx, w, r, err) {
    return
}
q := redirectURL.Query()
q.Set("next", r.URL.String()) // Encode query-escapes this string.
redirectURL.RawQuery = q.Encode()

So c.Config.AuthConfig().GetLoginURL() is no longer needed here.

Why this fixes the OIDC redirection issue?

The problem was that ReleaseTokenToMailbox was redirecting directly to the OIDC login URL (for example login_url: http://localhost:8000/oidc/login), which bypassed our React auth flow.

Our React auth flow does the following:

1. When an unauthenticated user hits a protected endpoint, it:

• Stores the requested endpoint in sessionStorage and state. So the user is redirected back correctly after authentication.
• Redirects to /auth/login.

2. /auth/login is a the single source of truth for login (via the loginStrategy as can be seen in the webui/src/pages/auth/login.tsx I added recently).
   It decides whether to:

• Show the local login form, or
• Redirect to the SSO login URL.
  The decision to redirect to SSO is based on the redirected=true query param:
• The login strategy is called if /auth/login was called with redirected=true.
• If so, and an SSO login URL is configured, it redirects to the SSO login URL from there.

By redirecting directly to the OIDC login URL from the server, we were skipping this React-based logic and breaking out of the flow that manages next and session state. That’s why we need to redirect to /auth/login instead, and let the frontend handle:

• Whether to go to SSO or local login.
• Where to redirect back to after authentication.

Note: currently in the SSO flow we don’t pass next as a query param to the IdP; we rely on sessionStorage and state, and the AuthProvider reads from there to navigate back after authentication.

(/auth/login should be const in my code)

Tested in Enterprise with the following configurations: local auth, LDAP, and OIDC - it redirects correctly with this code for all of them.

[Isan-Rivkin]

@arielshaqed, I had no knowledge of this behavior that if we go through /auth/login while query param redirected=true it'll redirect you to the correct login_url (i.e sso oidc saml) if you are not logged in.

I tested and inspected the code, @Annaseli is right 👏 !

@Annaseli I tested your suggestion and I can confirm as well, it works for both OIDC and SAML out of the box (While current fix only applies to SAML and does not work with OIDC, verified it by me).

The changes I applied (based on anna's suggestion):

redirectURL := url.URL{
    Path:     "/auth/login",
    RawQuery: fmt.Sprintf("redirected=true&next=%s", url.QueryEscape(r.URL.String())),
}

And the redirect logic just works.
I think it's worth pushing a fix for this before the release.

@Annaseli , thank you for being on top of this.

[arielshaqed]

On it.

[arielshaqed]

But I will use URL.Query rather than edit RawQuery directly, which is nonscalable and fails easily.

[arielshaqed]

THANKS!

[Annaseli]

I suggest adding the fullPath, in case we need location.search and location.hash in the path future.

useEffect(() => {
	const fullPath = location.pathname + location.search + location.hash;
	window.location.replace(fullPath);
    }, [location.pathname, location.search, location.hash]);

[Annaseli]

Could we move the Redirect component to lakefs-oss/webui/src/lib/components so that webui/src/pages/index.jsx is used only for route definitions?

[Annaseli]

For readability, can we move
<Route path="*" element={<Navigate to="/repositories" replace />} />
so it appears directly under
<Route path="api/v1/auth/get-token/release-token/*" element={<Redirect />} />
This will make it clearer that it’s inside the block:
<Route element={<RequiresAuth />} >

[arielshaqed]

@Annaseli I think @Isan-Rivkin asked for the exact opposite here - the redirect URL is sometimes used at customer installations, so we cannot ignore it. In any case this is the default value AFAIU - does avoiding it matter so much?

Or, is the important bit the redirected=true parameter?

[Annaseli]

@arielshaqed @Isan-Rivkin

1. When you say “the redirect URL is sometimes used at customer installations” - what exactly do you mean?
   If you’re referring to a setup where in the configuration we have login_url=<custom> that redirects the WebUI user directly to the OIDC login (for example Auth0 URL) instead of first going through the local lakeFS login page, then redirecting to /auth/login?redirected=true results in the same behavior (the wanted direct redirection to oidc url). The frontend handles the actual redirect using the loginStrategy, which performs the redirect.
   In other words, the customer-specific login_url is not ignored; the redirect just happens inside the LoginPage component (webui/src/pages/auth/login.tsx).

2. When you say “In any case this is the default value” , which value are you referring to (the /auth/login ?), and where is that default defined?

3. When you say “avoiding it”, what exactly are we avoiding?
   Are you suggesting we avoid passing the customer-specific login_url they configured? If so, that’s not what happens: we do respect that login_url. It just that the redirect to it is performed from the LoginPage.

the redirected=true parameter is relevant only in the /auth/login url.

[Annaseli]

@arielshaqed
Another thing (issue?) I noticed:
When I run lakectl login → log in via the WebUI → I can run lakectl repo list as expected.

But if I then log out from the WebUI, I can still run lakectl repo list and get a response instead of a 401.
After that, if I try lakectl login again, I’m redirected to the WebUI login page and don’t get the “you are logged in” page as expected from lakectl login (so why can I still run the repo list command?).

[arielshaqed]

@arielshaqed Another thing (issue?) I noticed: When I run lakectl login → log in via the WebUI → I can run lakectl repo list as expected.

But if I then log out from the WebUI, I can still run lakectl repo list and get a response instead of a 401. After that, if I try lakectl login again, I’m redirected to the WebUI login page and don’t get the “you are logged in” page as expected from lakectl login (so why can I still run the repo list command?).

This is actually per spec, and also a limitation. Logging out of the web UI "just" drops a JWT that the web UI received. It does nothing to the JWT that lakectl received. So you can continue to use it. Of course, you cannot renew that token without logging into the web - you have no JWT there.

We could add a lakectl logout command, I guess. @ozkatz ?