fix: use SPA availability check instead of UseInCluster for OIDC callback routing

[Copilot]

Summary

Fixes OIDC sign-in on desktop returning 404 at /auth?cluster=my-cluster. The OIDC callback used !config.UseInCluster to choose between desktop flow (token polling) and web flow (redirect to /auth), but the correct check is whether the SPA handler exists to serve /auth.

Related Issue

Changes

• backend/cmd/headlamp.go: Replace !config.UseInCluster with SPA availability check in the OIDC callback handler
• backend/cmd/headlamp_test.go: Add test for /oidc-token-poll endpoint

The callback handler now checks whether the SPA can actually serve the /auth route:

// Before — breaks when UseInCluster is true but no SPA is registered
if !config.UseInCluster {

// After — checks what actually matters: can /auth be served?
hasSPA := spa.UseEmbeddedFiles || config.StaticDir != ""
if !hasSPA {

Routing matrix after fix:

Mode	SPA available	Callback behavior
Electron desktop	No	Token polling + success HTML ✓
In-cluster (embedded/static)	Yes	Redirect to /auth ✓
Standalone binary with -html-static-dir	Yes	Redirect to /auth ✓

Steps to Test

1. Run Headlamp desktop (Electron) with an OIDC-configured cluster
2. Click "Sign In" on the auth chooser
3. Complete OIDC authentication in the system browser
4. Verify the browser shows "Authentication successful" (not a 404) and the Electron app completes auth via polling

Screenshots (if applicable)

Notes for the Reviewer

• The previous check (!config.UseInCluster) was a proxy for "are we in desktop mode" but conflated deployment mode with SPA availability. The new check directly tests what the code path needs: whether /auth can be served.
• spa.UseEmbeddedFiles is a compile-time constant (true with embed build tag, false otherwise). config.StaticDir is set via -html-static-dir flag. Together they cover all cases where the SPA handler is registered (line 954–967 of headlamp.go).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• test-cluster.example.com
  • Triggering command: /tmp/go-build3901459589/b001/cmd.test /tmp/go-build3901459589/b001/cmd.test -test.testlogfile=/tmp/go-build3901459589/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true lient-go@v0.33.3-errorsas .cfg ux_amd64/vet -p /informers/admis-atomic -lang=go1.24 ux_amd64/vet -I 6996502/b1238/_p-errorsas pkg/mod/github.c-ifaceassert ux_amd64/vet --gdwarf-5 /tools/portforwa-atomic -o ux_amd64/vet (dns block)
  • Triggering command: /tmp/go-build2130730644/b001/cmd.test /tmp/go-build2130730644/b001/cmd.test -test.testlogfile=/tmp/go-build2130730644/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true se 3834763/b080/vet-ifaceassert ux_amd64/vet r/executer.go /tmp/go-build144ls-files -I ux_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>oidc on desktop still not working</issue_title>
<issue_description>quand je clique sur sign-in j'ai une fenetre navigateur http://localhost:4466/auth?cluster=my-cluster avec 404 page not found</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes oidc on desktop still not working #2

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.