[Token]: Add OAuth auth code flow for easier authentication #530
+329
−21
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add both OAuth flows: authorization code (default) and device code - Added --oauth-flow flag to choose between "authcode" (default) and "device" - Implemented authorization code flow with PKCE using Go native libraries - Kept device code flow available for backward compatibility - Added local HTTP server for OAuth callback - Added browser auto-open functionality - Added unit tests for PKCE functions and OAuth config Co-authored-by: binaryoverload <15330699+binaryoverload@users.noreply.github.com> Fix formatting issues (remove trailing newlines) Co-authored-by: binaryoverload <15330699+binaryoverload@users.noreply.github.com> Add configurable callback port for OAuth authcode flow - Added --oauth-callback-port flag (default: 8888) - Changed from random port to fixed configurable port - Required for Azure AD redirect URI pre-configuration - Updated tests to verify port configuration Co-authored-by: binaryoverload <15330699+binaryoverload@users.noreply.github.com> Fix redirectURI parameter usage in exchangeCodeForToken - Use the passed redirectURI parameter instead of config.RedirectURL - Ensures consistency between authorization and token exchange Co-authored-by: binaryoverload <15330699+binaryoverload@users.noreply.github.com> Add constants for OAuth flow types and timeouts - Added OAuthFlowDevice and OAuthFlowAuthCode constants - Added AuthTimeout and ServerShutdownTimeout constants - Improves code maintainability and prevents typos Co-authored-by: binaryoverload <15330699+binaryoverload@users.noreply.github.com> Add validation for OAuth flow parameter - Validate oauth-flow parameter in runCredential function - Add explicit switch statement with validation in oauthAuth - Provide clear error messages for invalid flow types - Prevents silent fallback to default flow Co-authored-by: binaryoverload <15330699+binaryoverload@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using kubelogin (https://github.com/int128/kubelogin), the default authentication experience opens the user’s browser and runs a local HTTP callback listener to complete the OAuth flow.
This PR brings the same experience to the Rancher CLI, enabling easier Microsoft sign-in compared with the device-code flow (which can be more cumbersome).
Changes
--oauth-flow- select the OAuth flow (device is the default for backwards compatibility; authcode enables the browser-based flow)--oauth-callback-port- local port to use for the redirect/callback listener--oauth-flow=authcodeis selected, the command will:AI Disclaimer
The bulk of this PR was drafted with GitHub Copilot (as indicated by the commit author), then manually reviewed and tested by me.