crypt/step-ca-cli
1
0
Fork 0
mirror of https://github.com/smallstep/cli.git synced 2025-08-09 03:22:43 +03:00
Code Activity

Add --console-flow flag to oauth for selecting alternative flows

Browse Source
This commit is contained in:
max furman
2022-06-24 16:19:14 -07:00
parent 602a3d168e
commit 5d374684ea
1 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
command/oauth/cmd.go
View File

@@ -147,6 +147,16 @@ $ step oauth --client-id my-client-id --client-secret my-client-secret \
--provider https://example.org --provider https://example.org
''' '''
Use the Device Authorization Grant flow for input constrained clients:
'''
$ step oauth --client-id my-client-id --client-secret my-client-secret --device
'''
Use the Out Of Band flow for input constrained clients:
'''
$ step oauth --client-id my-client-id --client-secret my-client-secret --oob
'''
Use additional authentication parameters: Use additional authentication parameters:
''' '''
$ step oauth --client-id my-client-id --client-secret my-client-secret \ $ step oauth --client-id my-client-id --client-secret my-client-secret \
@@ -170,6 +180,19 @@ NOTE: This flag will continue to use the Out of Band (OOB) flow for Google OAuth
until Oct 3, 2022 when the OOB flow will be shut off. All other OAuth clients until Oct 3, 2022 when the OOB flow will be shut off. All other OAuth clients
will default to using the Device Authorization Grant flow will default to using the Device Authorization Grant flow
(https://datatracker.ietf.org/doc/html/rfc8628#section-3.2).`, (https://datatracker.ietf.org/doc/html/rfc8628#section-3.2).`,
},
cli.BoolFlag{
Name: "console-flow",
Usage: `The alternative OAuth <flow> to use for input constrained devices.
: <console-flow> is a case-insensitive string and must be one of:
**device**
: Use the Device Authorization Grant
(https://datatracker.ietf.org/doc/html/rfc8628#section-3.2) flow
**oob**
: Use the Out of Band (OOB) flow`,
}, },
cli.StringFlag{ cli.StringFlag{
Name: "client-id", Name: "client-id",
@@ -297,9 +320,25 @@ func oauthCmd(c *cli.Context) error {
return errors.New("flag '--client-id' required with '--provider'") return errors.New("flag '--client-id' required with '--provider'")
} }
_, isDeviceFlow := os.LookupEnv("DEVICE") if c.Bool("oob") && c.Bool("device") {
if c.Bool("console") && !(opts.Provider == "google" || strings.Contains(opts.Provider, "google.com")) { return errs.MutuallyExclusiveFlags(c, "oob", "device")
}
isOOBFlow, isDeviceFlow := false, false
consoleFlowInput := c.String("console-flow")
switch {
case strings.EqualFold(consoleFlowInput, "device"):
isDeviceFlow = true isDeviceFlow = true
case strings.EqualFold(consoleFlowInput, "oob"):
isOOBFlow = true
case c.IsSet("console-flow"):
return errs.InvalidFlagValue(c, "console-flow", consoleFlowInput, "device, oob")
case c.Bool("console"):
if opts.Provider == "google" || strings.HasPrefix(opts.Provider, "https://accounts.google.com") {
isOOBFlow = true
} else {
isDeviceFlow = true
}
} }
var clientID, clientSecret string var clientID, clientSecret string
@@ -417,9 +456,9 @@ func oauthCmd(c *cli.Context) error {
} else { } else {
tok, err = o.DoTwoLeggedAuthorization(issuer) tok, err = o.DoTwoLeggedAuthorization(issuer)
} }
case opts.Console && isDeviceFlow: case isDeviceFlow:
tok, err = o.DoDeviceAuthorization() tok, err = o.DoDeviceAuthorization()
case opts.Console: case isOOBFlow:
tok, err = o.DoManualAuthorization() tok, err = o.DoManualAuthorization()
default: default:
tok, err = o.DoLoopbackAuthorization() tok, err = o.DoLoopbackAuthorization()