Skip to content

feat(auth): add OIDC auth-code + PKCE login helper#534

Draft
aparajon wants to merge 1 commit into
mainfrom
aparajon/auth-login-pkce
Draft

feat(auth): add OIDC auth-code + PKCE login helper#534
aparajon wants to merge 1 commit into
mainfrom
aparajon/auth-login-pkce

Conversation

@aparajon

@aparajon aparajon commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Why this matters

A CLI needs a way to obtain a token interactively without users hand-copying credentials. This adds the OIDC login engine — the authorization-code + PKCE flow — that an interactive login command will drive. It lands as a standalone helper; nothing calls it yet, so there is no behavior change.

What it does

  • Adds client.Login, which runs the OAuth2 authorization-code flow with PKCE for a public client: discovers the provider's endpoints, starts a loopback callback server, opens the browser at the authorization URL (S256 challenge + a random state), receives the code on the loopback redirect (verifying the state matches), and exchanges it — with the PKCE verifier — for tokens.
  • Binds the callback listener to the loopback interface and verifies the state on the redirect, so a stray or forged request can't complete the flow with someone else's code.
  • The browser opener is injected by the caller, keeping the helper testable and free of UI assumptions; the whole flow is bounded by the caller's context and the callback server is always shut down before returning.
  • Promotes golang.org/x/oauth2 to a direct dependency.

How it fits

Part of the optional client-side authentication workstream. This is the login engine; a later change wires the interactive login / logout commands and the on-disk token cache around it, and adds the end-to-end test against a real OIDC provider.

Copilot AI review requested due to automatic review settings June 25, 2026 20:49
Copilot AI reviewed Jun 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a standalone CLI-side OIDC login helper that performs the OAuth2 authorization-code + PKCE flow (discovery, loopback callback server, browser open, state validation, code exchange) plus an in-process fake OIDC provider test harness to exercise the flow end-to-end. This lays the groundwork for a future login command without changing current runtime behavior.

Changes:

  • Introduces client.Login and related config/result types to run OIDC auth-code + PKCE via a loopback redirect.
  • Adds unit tests with an in-process fake OIDC provider that validates the PKCE S256 round-trip and negative cases.
  • Promotes golang.org/x/oauth2 to a direct dependency.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
pkg/cmd/client/login.go New OIDC auth-code + PKCE login helper with loopback callback server and token exchange.
pkg/cmd/client/login_test.go End-to-end unit tests using a fake in-process OIDC provider to validate the flow and error handling.
go.mod Adds golang.org/x/oauth2 as a direct dependency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/cmd/client/login.go
Comment thread pkg/cmd/client/login_test.go
Comment thread pkg/cmd/client/login.go
@aparajon @claude
feat(auth): add OIDC auth-code + PKCE login helper
09cc360 
Add a Login helper that runs the OAuth2 authorization-code flow with PKCE for a
public client: discover the provider's endpoints, start a loopback callback
server, open the browser at the authorization URL (S256 challenge + state),
receive the code on the loopback redirect (verifying state), and exchange it
(with the PKCE verifier) for tokens.

The helper is standalone and browser-agnostic — the caller supplies the browser
opener — so the interactive login command can wire it later. The whole flow is
bounded by the caller's context and the loopback server is always shut down
before returning. Promotes golang.org/x/oauth2 to a direct dependency.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aparajon aparajon force-pushed the aparajon/auth-login-pkce branch from a888cc0 to 09cc360 Compare June 25, 2026 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@morgo morgo Awaiting requested review from morgo morgo will be requested when the pull request is marked ready for review morgo is a code owner
@Kiran01bm Kiran01bm Awaiting requested review from Kiran01bm Kiran01bm will be requested when the pull request is marked ready for review Kiran01bm is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aparajon