Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OAuth 2.0 device flow #103

Open
DrDaveD opened this issue Mar 11, 2020 · 8 comments
Open

Support OAuth 2.0 device flow #103

DrDaveD opened this issue Mar 11, 2020 · 8 comments

Comments

@DrDaveD
Copy link

DrDaveD commented Mar 11, 2020
edited
Loading

I suggest that this plugin optionally support the OAuth 2.0 device flow for authentication. This avoids needing to have a callback to a web server on the client's machine and is much easier to manage from the command line.
@DrDaveD DrDaveD mentioned this issue Mar 11, 2020
Merged
@DrDaveD
Copy link
Author

DrDaveD commented Mar 23, 2020

This would probably be based on this unmerged golang oauth2 pull request or this add-on package.

@kalafut
Copy link
Contributor

kalafut commented Mar 23, 2020

Hi. Thanks for the references. Support for Device Flow is definitely of interest, especially for remote login support. It hasn’t been investigated in detail and there isn’t an ETA at this time, but it’s something that will be looked into.

@DrDaveD DrDaveD mentioned this issue Mar 26, 2020
Merged
@DrDaveD
Copy link
Author

DrDaveD commented Jun 18, 2020

I am beginning to work on a pull request for this.

@kalafut
Copy link
Contributor

kalafut commented Jun 19, 2020

Hi @DrDaveD. Can you summarize the approach you plan to take?

@DrDaveD
Copy link
Author

DrDaveD commented Jun 19, 2020

Since there's no indication about if or when the unmerged PR I referred to above will get into the golang/oauth2 package, I am instead planning to base my PR on the rjw57/oauth2device code. The latter is basically only a single source file that hasn't changed in 6 years, so I'm thinking I'll either copy it in or just take ideas from it. Because I won't be modifying golang/oauth2, that means I won't be able to use oidc_discovery to find the full URL, so instead I plan to add a role parameter with the full URL of the device authorization endpoint on the token issuer; that's less than ideal but I think not so bad, and maybe in the future can be changed if golang/oauth2 ever gets the device flow support.

I think I will be adding a two-step API then, not a whole lot different than the existing oidc/auth_url plus oidc/callback. In fact maybe the first step of the API can be the same, because device flow still results in a URL that needs to go to the user's web browser. The second step will be different though because it will just be for the client to ask this plugin to poll for the result and continue. The vault login cli of course will also be updated to use the new API when device flow is in use.

How does that sound?

@DrDaveD DrDaveD mentioned this issue Jul 6, 2020
Closed
@DrDaveD DrDaveD mentioned this issue Aug 13, 2020
Open
@sidewinder12s
Copy link

Was able to work around this by adding this flag when SSHing into a remote machine:

ssh -L 8250:localhost:8250 <address>

And then clicking on the Auth URL when it was presented.

@DrDaveD DrDaveD mentioned this issue Jul 22, 2021
Open
@ClientIco ClientIco mentioned this issue Apr 26, 2022
Open
@tsipinakis
Copy link

4 years later pinging this issue again as it's a much desired feature for us - it breaks a lot of workflows to not be able to log in easily on SSH (if you forward the port then you can't log in locally).

@DrDaveD
Copy link
Author

DrDaveD commented Nov 18, 2024

The port of #131 is now available in an openbao 2.1.0 beta release via openbao/openbao#319.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kalafut @sidewinder12s @DrDaveD @tsipinakis