-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Out of band flow not working #594
Comments
In the case of out of band flow, I believe the redirect_uri should be |
If you change the
|
Howdy! Currently, only the redirect-based browser flow is implemented. I suppose it's been on my backlog long enough now :p |
Thanks. It seems mostly there: sigstore/pkg/oauthflow/interactive.go Lines 80 to 91 in 963cd5d
If you manually change the I think it should be just a matter of making sure the |
For documentation: Google has decided to deprecate the Out-Of-Band flow without replacement. The closest alternative is the device flow (i.e. enter this code at this URL), or simply copy-pasting the long-lived |
My personal use case is authentication on a remove development machine I access over ssh. I don't have access to a browser local to the server, though I suppose I could try to use a text based browser like lynx or something. I could also do the normal browser-based flow with port-forwarding from the local machine to the server, but the app would need to give me the url that I can paste into my browser. I'm not sure that's a great UX but it would require minimal work to support. |
can we close this for now @ianlewis or do you still need anything addressed? |
I think there should to be some way to support authentication on a machine other than the one the browser is on (e.g. ssh to a dev server). Either by supporting the out-of-band flow, the device flow that @dekkagaijin mentioned, or explicitly support port forwarding as I mentioned. I don't really consider using a console browser as a valid workaround. |
We already support device flow though, is this lacking somehow https://github.com/sigstore/sigstore/blob/main/pkg/oauthflow/device_test.go ? |
Apologies, I wasn't aware of device flow or how to invoke it. Perhaps it's simply that
When the browser can't be opened, the So as far as sigstore is concerned I'd say the following could be actionable:
|
Not a problem. I can't confess to know the gitsign code very well, but it should in theory be capable of falling back to device flow. It makes sense to have such a feature as many folks code in remote envs. I recommend kicking the conversation off over at sigstore/gitsign, in the meantime happy to keep this open so if we need to adjust things on this side, we can do. |
I'm not sure how that can happen currently without gitsign reimplementing the
I opened sigstore/gitsign#137 to track the issue there. |
This problem isn't unique to gitsign - verified this also affects cosign. 🙃 Opened a fix in #698 that I've verified works with gitsign.
IIUC this only affects users who are using the Google OIDC issuer directly, but this won't affect default clients using
I'd prefer not to persist long lived creds if we can avoid it. I think the device code based approach is fine, especially if we pair it with https://github.com/sigstore/gitsign/tree/main/cmd/gitsign-credential-cache so that only short-lived secrets are persisted and only need to be entered every 10 mins. |
Description
The auth process in
gitsign
outputs a URL you should be able to open in the browser to get a verification code, but the oauth2 server redirects to localhost after logging in. In this case localhost is not accessible so the auth flow cannot complete.Version
gitsign v0.2.0
The text was updated successfully, but these errors were encountered: