oauth2cli icon indicating copy to clipboard operation
oauth2cli copied to clipboard

Published 20 hours ago verified publisher icon int128

add redirect url

Open tuana9a opened this issue 10 months ago • 2 comments

Use case

I deployed

  • a code-server running http on port 8209
  • it behinds a reversed-proxy with SSL termination (ex: nginx, cloudflare tunnel) running https on port 443

I'm accessing it with https://dev2.tuana9a.com from any of mine devices that has a web browser (desktop, tablet, laptop, phone).

In this server I want to use kubelogin to access my internal kubernetes cluster. The kubelogin will listen on port 8000 and that server doesn't have a browser so I skip the open browser step and instead, when the cli run, It should show the url bellow

Please visit the following URL in your browser: https://dev2-8000.tuana9a.com

The vscode-server support exposing port over a custom proxy like

VSCODE_PROXY_URI=https://dev2-{{port}}.tuana9a.com

So that I can go to that url and access the temporary server opened by this oauth2cli and continue the process of authentication.

Current setup only have redirect hostname + port, I think by adding a RedirectUrl and let the user decide it could improve the flexibility of the cli.

If this go through I would love to open my next PR to add this flag --oidc-redirect-url to the kubelogin cli also. The full config look like this

- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://accounts.google.com
      - --oidc-client-id=xxxx-yyy.apps.googleusercontent.com
      - --oidc-client-secret=zzz
      - --skip-open-browser
      - --listen-address=0.0.0.0:8000
      - --oidc-redirect-url=https://dev2-8000.tuana9a.com
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

Tests

I have successfully modified the code andI have written e2e test for this usecase and it passed.

Related

This PR may be related to #137 and #117

tuana9a avatar Jan 04 '25 10:01 tuana9a

I think the following option may help this issue:

      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")

int128 avatar Jan 25 '25 07:01 int128

I have updated the description, I'm deploying:

  • vscode-server with http on port 8209
  • it behinds a reverse-proxy with https (SSL termination) and port 443

example: https://dev2.tuana9a.com:443 -> http://192.168.56.9:8209 (192.168.56.9 is the ip address of vscode-server)

Using --oidc-redirect-url-hostname is not enough, let say the cli listen on port 8000 the redirectUrl will look like this

http://dev2-8000.tuana9a.com:8000 - which is not correct

the correct should be https://dev2-8000.tuana9a.com:443 as I setup the reversed proxy to forward to http://192.168.56.9:8000

I also will have to open firewall that port 8000 and forward it to the vscode-server inside

as I'm seeing we take the port from the bind address

https://github.com/int128/oauth2cli/blob/69eb49a5eda8c49cd8d3279700d7abc3f2f58c66/server.go#L24-L26

and the https protocol needs to have cert files

https://github.com/int128/oauth2cli/blob/69eb49a5eda8c49cd8d3279700d7abc3f2f58c66/server.go#L50-L58

https://github.com/int128/oauth2cli/blob/69eb49a5eda8c49cd8d3279700d7abc3f2f58c66/oauth2cli.go#L108-L110

so I think we have options:

  • add more custom (override) flags, ex: --oidc-redirect-url-protocol + --oidc-redirect-url-port
  • or as I'm thinking: if the user know the network setup and understand what they are doing, just add the flag --oidc-redirect-url and DIY.

or can you suggest a better alternative? Thanks!

tuana9a avatar Jan 26 '25 01:01 tuana9a