Add --oidc-request-header flag (#1359)

* fix(authcode): Set Origin header on token request Allow passing Azure AD CORS checks. on-behalf-of: @eon-se opensource@eon.com Signed-off-by: Maximilian Blatt <maximilian.blatt.external@eon.com> * Add `--oidc-request-header` flag * Add doc --------- Signed-off-by: Maximilian Blatt <maximilian.blatt.external@eon.com> Co-authored-by: Maximilian Blatt <maximilian.blatt.external@eon.com>
2026-02-14 16:39:51 +00:00 · 2025-07-13 11:04:40 +09:00
parent 8537977819
commit 3981c78387
8 changed files with 55 additions and 9 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -13,6 +13,7 @@ Flags:
      --oidc-redirect-url string                        [authcode, authcode-keyboard] Redirect URL
      --oidc-extra-scope strings                        Scopes to request to the provider
      --oidc-use-access-token                           Instead of using the id_token, use the access_token to authenticate to Kubernetes
+      --oidc-request-header stringToString              HTTP headers to send with an authentication request (default [])
      --force-refresh                                   If set, refresh the ID token regardless of its expiration time
      --token-cache-dir string                          Path to a directory of the token cache (default "~/.kube/cache/oidc-login")
      --token-cache-storage string                      Storage for the token cache. One of (disk|keyring|none) (default "disk")
@@ -88,6 +89,16 @@ you can enforce the code challenge method by `--oidc-pkce-method`.

 For the most providers, you don't need to set this option explicitly.

+### HTTP headers
+
+If your provider requires extra HTTP headers, you can set them by `--oidc-request-header`.
+
+For Azure AD Single Page Application with PKCE, you can set `Origin` header as follows:
+
+```yaml
+- --oidc-request-header=Origin=localhost
+```
+
 ### CA certificate

 You can use your self-signed certificate for the provider.