Use system browser for OAuth authentification

[pitetb]

I have checked the following:

• I've searched existing issues and found nothing related to my issue.

Describe the feature you want to add

For Oauth2 authentifiction, (and for others eventually), when clicking on "Get Access Token", the system's browser should be opened (not the bruno integrated one).
Why that? It will allow users to have access to theirs password managers configured on theirs browser. It's a cool feature that make life easier.

Mockups or Images of the feature

See as postman is working.

[ianfrance-gls]

This issue blocks my usage of Bruno on my system. My organisations authorisation does not allow the Electron browser to be used.

[navneet-z]

This issue blocks my usage of Bruno on my system. My organisations authorisation does not allow the Electron browser to be used.

+1 Due to this issue, we are not able to use Bruno at my organization. @helloanoop Please help here.

[pietrygamat]

My thoughs: this request is not impossible, but may still be not ideal in the environments where the organization has very strict requirements about software you use. The oauth2 browser flow would start with bruno executing shell request to open Authorization URL. It would normally be a https request, and it would be handled by the default browser loading the login page. First potential, albeit minor problems here are:

• It is very likely that the browser silently switches from http to https, which may result in login page being unreachable. Agreed, you should not host your auth server without TLS, but just pointing that as a potential problem outside of what Bruno can help with.
• Untrusted TLS - Bruno's settings for custom CA or disabling TLS verification will not work in the browser. We must assume it is configured correctly.

The more important problem is the core of how OAuth2 works: after the successful authorization the browser is supposed to redirect to the Callback URL. This redirect carries credentials that we are interested in, but they must somehow return back to Bruno. Currently, as Bruno is handling the browsers function, it simply extracts the credentials and ignores the redirect uri completely, but the browser will not do that. This creates another set of problems:

1. Can I redirect to Bruno?
2. How to redirect to Bruno?

The first question is about whether the authorization server allows arbitrary callback urls. If not - the url to Bruno must be explicitly whitelisted in the server configuration. This in itself may be considered security violation, depending on the type of application, or the user may simply not have that kind of access, in which case it's game over.

The second question is a main technical challenge for Bruno developers. From what I understand electron applications may be registered as custom protocol clients, and in fact Bruno does register itself as a client for bruno:// protocol. That means the browser redirecting to bruno://xxx would launch another instance of Bruno, and it would be able to consume the callback url with credentials included. For this to make sense however, Bruno must be launched as a single instance application, because a new instance would not know what to do with the information. Also, I can only imagine that making Bruno a single instance app breaks someone's workflow. Maybe @helloanoop has his mind made up on this issue?

And of course, your desktop security policy must not be too strict for that either - if you are not able to register custom protocol clients, it's game over again. Then again, since Postman gets away with just that, it can't be a real world problem.

[staehr]

This issue blocks my usage of Bruno on my system. My organisations authorisation does not allow the Electron browser to be used.

I +1 this. The internal browser used doesn't send the device identifier to e.g. microsoft. With that there are restrictions that a login isn't possible to specific accounts.

It's also the only thing holding me back to buy and use bruno and to recommend it to the whole company.

[dglozano]

+1 on this. Same reasons as most people above: a nice to have in order to use password managers, but also because the organiation policy doesn't allow me to login using the embedded browser.

[rosshosman]

This has been a pain in our organization as well where we require users use a company provided password manager and MFA everywhere. Would love to see this implemented so we can continue to expand our Bruno usage.

[BBE-91]

Coupled with implicit mode, as it's the only allowed method in our companty

[kbublitz]

I have no idea what exactly is the reason, but our company login server does some strange redirects that don't work in the integrated browser. We had the same issue in Postman, but there is a "Authorize using browser" option which enables using the standard browser.
I would really like to have a similar option in Bruno, otherwise I can't use it at the moment.