The port for the OIDC callback listener cannot be specified #1311
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cosignis starting a callback listener on localhost which receives the code from the OIDC issuer. The problem is that it uses a random free port, see here. So there is no way to know the exact redirect URL in advance for the OIDC dance. This is a problem because some (most?) OIDC issuers require a white list of callback URLs to be configured in advance otherwise they won't work. One example is Auth0 where I can puthttp://localhost:<port>as callback URL if I know the port number in advance.So I propose adding a new command line argument (e.g.
--oidc-callback-port) which specifies the port number of the callback listener. By default it will be 0 which means a random free port on localhost (current behavior). Let me know if this sounds reasonable and I will start working on PRs for the sigstore library and cosign.The text was updated successfully, but these errors were encountered: