oauth2cli
oauth2cli copied to clipboard
int128
Provide fallback method if local server is not reachable
It would be nice if oauth2cli provides a fallback method if the local server is not reachable such as a remote host. This issue is originally from https://github.com/int128/kubelogin/issues/148.
User interaction
Open http://localhost:8000
If you cannot open the browser, visit https://accounts.google.com/... and enter code: xxxxxxxx
Authorization will finish when the local server received a code or user entered a code by keyboard.
Implementation consideration
Redirect URIs are different between the local server and keyboard as:
- By the local server:
redirect_uri=http://localhost:8000 - By keyboard:
redirect_uri=urn:ietf:wg:oauth:2.0:oob
Note that post-process (exchanging code) must use the corresponding redirect URI, or error will be returned.
It may be complex design as:
- Goroutine 1 serves the local server.
- Goroutine 2 waits for an authorization response and shuts down the local server.
- Goroutine 3 waits for a code from keyboard and shuts down the local server.
Unfortunately fmt.Scanf() and io.Stdin.Read() do not support a context and there is no way to break an interaction for now (as https://github.com/golang/go/issues/20280). So the goroutine3 will remain after the authorization.
See also: https://github.com/int128/kubelogin/blob/1.0/oidc.go#L81
Hi @int128, do you know why my local kubelogin server is not reachable?
I don't seen anywhere in the documentation how to (re)start kubelogin's server...
Sorry, meant to update this before - this was a user error 😄
Turned out my .well-known/openid-configuration JSON's URIs were not absolute paths but instead were relative paths - i.e. /o/authorize instead of https://my-host:8000/o/authorize. Fixing this resolved my issue.
Thanks for the great tool!