New command group: nextflow auth

[ewels]

This PR introduces a complete authentication system for Seqera Platform with multiple subcommands for managing authentication credentials and configuration.

CleanShot.2025-09-21.at.00.32.54.mp4

Features

New nextflow auth command with subcommands:

• nextflow auth login - Authenticate with Seqera Platform using OAuth2/PKCE flow
• nextflow auth logout - Remove authentication credentials and clear configuration
• nextflow auth status - Show current authentication status and user information
• nextflow auth config - Display current authentication configuration

Auth0 Device Flow Authentication

• Implements Auth0 device flow for secure authentication without requiring a local server
• User-friendly flow: displays a code and opens browser to Auth0 verification URL
• Automatic polling to detect when user completes authentication
• Supports multiple Seqera environments (production, staging, development)
• Personal Access Token (PAT) fallback for enterprise/custom deployments

Usage Examples

# Authenticate with Seqera Cloud (production)
nextflow auth login

# Authenticate with custom endpoint
nextflow auth login -u https://my-enterprise-seqera.com/api

# Check authentication status
nextflow auth status

# View current configuration
nextflow auth config

# Logout and clear credentials
nextflow auth logout

Technical Implementation

Core Components

• CmdAuth: Main command handler with OAuth2 flow implementation
• ColorUtil: ANSI color utility for enhanced terminal output
• Comprehensive test suite: 36 tests covering all functionality

Authentication Flow

1. Prompts for API endpoint (defaults to Seqera Cloud production)
2. For Seqera Cloud: initiates Auth0 device flow
3. Displays user code and opens browser to verification URL
4. Polls Auth0 token endpoint until user completes authentication
5. For enterprise: prompts for Personal Access Token
6. Validates credentials and fetches user information
7. Handles workspace/organization selection
8. Updates Nextflow configuration with new credentials

---

Note

Introduces a new nextflow auth CLI with OAuth2 (Auth0) and PAT flows via nf-tower plugin, adds ANSI color utility, integrates into launcher, and includes comprehensive tests.

• CLI:
  • Add CmdAuth command group with subcommands: login, logout, config, status.
  • Integrate auth into Launcher command registry.
  • Add ColorUtil for ANSI-colored terminal output.
• nf-tower Plugin:
  • Implement io.seqera.tower.plugin.cli.AuthCommandImpl (extension of CmdAuth.AuthCommand).
    • Auth0 device flow (Cloud) and PAT entry (Enterprise), token generation/deletion, config read/write, workspace selection, and status display.
  • Register new extension point and bump nextflowVersion to 25.08.0-edge in plugins/nf-tower/build.gradle.
• Tests:
  • Add tests for CmdAuth, ColorUtil, and AuthCommandImpl.
• Misc:
  • Update author email in nextflow/trace/ReportObserver.groovy.

^{Written by Cursor Bugbot for commit 00b4590. This will update automatically on new commits. Configure here.}

[netlify]

✅ Deploy Preview for nextflow-docs-staging canceled.

Name	Link
🔨 Latest commit	00b4590
🔍 Latest deploy log	https://app.netlify.com/projects/nextflow-docs-staging/deploys/68dbfface68c9c000860363c

[ewels]

Struggling to get the tests to pass. Even master is failing for me locally, whilst passing on GitHub. Not sure what's wrong.

[ewels]

@claude Please review this pull request and provide feedback on:

• Code quality and best practices
• Potential bugs or issues
• Performance considerations
• Security concerns
• Test coverage

Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.

Use gh pr comment with your Bash tool to leave your review as a comment on the PR.

[claude]

Claude encountered an error —— View job

Failed with exit code 128

---

I'll analyze this and get back to you.

[cursor]

Bug: Colorize Method Incorrectly Applies Bold Formatting

When fullReset is false, the colorize method attempts to reset dim formatting using Attribute.INTENSITY_BOLD. This applies bold formatting instead of returning the text to normal intensity, causing text to appear bold when it should be undimmed.

 

[cursor]

Bug: Incorrect Environment Variable Check in Nextflow Auth

The nextflow auth commands incorrectly check for the TOWER_WORKFLOW_ID environment variable when configuring and displaying the default workspace. This prevents the system from recognizing the intended TOWER_WORKSPACE_ID environment variable for workspace selection.

Additional Locations (1)

• modules/nextflow/src/main/groovy/nextflow/cli/CmdAuth.groovy#L1186-L1187

 

[pditommaso]

Let's start refactoring this as nf-seqera plugin (in the plugins directory, same as nf-tower)

[jorgee]

I get confused a bit on how -url is managed.
In usage examples, it seems the -url is used to support login for enterprise, but inside the code it is also used to decide to use cloud dev, stage or prod.
To manage it, the code has a couple of maps with the api and Auth0 URLs, and Auth0 client Id for all environments hardcoded in the code. There is also a complex sequence to check if the URL is from platform (cloud) or enterprise and if it is enterprise then uses PAT instead of Auth0.

I think it is better to simplify it by -url is for enterprise with PAT and no url is for cloud. Moreover, instead of hardcoding all environments, keep just the production values as default and allow to test in other environments using env variables. In fact, we already have the TOWER_API_ENDPOINT, we just would need to add the ones for auth endpoint and client id.

What do you think about it?

[jorgee]

What happens if there was a previous token already defined in the config. Could it be deleted by mistake?

[ewels]

Yes it will be deleted, by design. Maybe we could add a confirmation prompt?

[ewels]

@jorgee I think that we still need the logic to detect the 3 prod / stage / dev URLs for cloud - it's needed to trigger the logic to try the Auth0 flow rather than just booting people to use a PAT.

If we have that logic in the code, then I don't really see a reason to not also include the key and auth0 URL personally, it's only a handful of extra lines of code. And it'd be a swap for env vars. Given that I don't envision ever needing to test with any other auth0 URLs I'm not really sure it'd be any simpler..?

[jorgee]

It seems login is not working well when there is a profile with tower properties. I had already defined a profile and it was removed from the profile and wrote a new one. I will debug it, but I was wondering if it will be easier to write everything in a separate file and just add the include it in the .nextflow/config. We will just need to add or remove the line instead of looking for the tower config.

[jorgee]

Pushed changes to move Auth functionality to nf-tower

[jorgee]

This is what I referred to in my previous comment #6380 (comment).
In normalizeApi, it is converting http to https and, in getCloudEndpoint, it is checking if the provided apiUrl is in a legacy format '/api' to compare it with the dev, stage and prod endpoints
Assuming that url flag is just for login in enterprise, it could be simplify by

if (apiUrl)
 handleEnterpriseAuth(apiUrl)
else
  performAuth0Login()

No need to normalizeApi function nor getCloudEndpointInfo. If the problem is providing the Auth0 url and clientId when testing we could be kept in a map api_endpoint -> auth0_Info and just use the TOWER_ENDPOINT_API to retrive them as it is used in the rest of the nf-tower calls.