Skip to content

Refactor to support separate auth for the SDK (and thus terraform) + small bugfixes #1130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Refactor to support separate auth for the SDK (and thus terraform) + small bugfixes #1130

wants to merge 8 commits into from

Conversation

@franklouwers
Copy link

@franklouwers franklouwers commented Nov 27, 2025
edited
Loading

Description

Add API Authentication for Terraform Provider Integration

This PR implements the CLI authentication feature proposed in terraform-provider-stackit#880, enabling the Terraform Provider and SDK to use CLI user credentials instead of requiring service accounts for local development. (See stackitcloud/terraform-provider-stackit#719 for the issue that triggered this as well)

Overview

Currently, the STACKIT Terraform Provider and SDK only support service account authentication (Key Flow and Token Flow), requiring users to create and manage service account credentials even for local development. This PR adds a new stackit auth api command group that allows external tools to leverage the CLI's convenient OAuth2 user authentication.

I also fixed a bug with token refresh expiration times.

Changes

This implementation follows the RFC's preferred approach: keychain storage with file-based fallback.

1. Storage Context System

Refactored the storage layer to support multiple independent credential contexts:

  • CLI context: For stackit auth login (existing behavior unchanged)
  • API context: For stackit auth api login (new, isolated storage)

Storage locations:

  • Keychain: stackit-cli-api (macOS Keychain, Windows Credential Manager, Linux Secret Service)
  • File fallback: ~/.stackit/cli-api-auth-storage.txt (base64-encoded)
2. Token Refresh Fix

Critical improvement: Fixed token refresh mechanism to use actual JWT expiration instead of session expiration:

  • Before: Stored session expiry (default 2h from config), causing SDK to think tokens were valid when they'd already expired
  • After: Parse and store JWT exp claim (typically 15min), enabling proper automatic token refresh

This fix applies to both stackit auth login and stackit auth api login.

3. New Commands

Added stackit auth api subcommand group:

# Authenticate for Terraform/SDK (opens browser)
stackit auth api login

# Check authentication status
stackit auth api status

# Get access token with automatic refresh
stackit auth api get-access-token

# Remove API credentials
stackit auth api logout

Benefits

  • No service accounts required for local Terraform development
  • Automatic token refresh with bidirectional storage sync
  • Independent credentials: CLI and API can use different accounts simultaneously
  • Profile support: Each profile has independent CLI and API authentication
  • Secure storage: System keychain with automatic file fallback

Usage Example

# User authenticates once
$ stackit auth api login
# Opens browser, stores credentials in isolated API context

# Terraform Provider can now use these credentials
# (Requires provider update to support CLI auth - separate PR)

Implementation Notes

  • Maintains full backward compatibility with existing auth flows
  • No changes to stackit auth login behavior
  • Storage contexts prevent credential conflicts
  • Test coverage

Related

Checklist

  • Issue was linked above
  • Code format was applied: make fmt
  • Examples were added / adjusted (see e.g. here)
  • Docs are up-to-date: make generate-docs (will be checked by CI)
  • Unit tests got implemented or updated
  • Unit tests are passing: make test (will be checked by CI)
  • No linter issues: make lint (will be checked by CI)

@franklouwers
Add storage context system for credential isolation
1703828 
Refactor storage layer to support multiple independent storage contexts,
enabling CLI and API (Terraform Provider/SDK) credentials to be stored
separately. This allows users to authenticate with different accounts
for CLI operations vs. SDK/Terraform usage.

Key changes:
- Add StorageContext enum (StorageContextCLI, StorageContextAPI)
- Add *WithContext() variants for all storage functions
- Support context-specific keyring service names and file paths
- Maintain backward compatibility with existing storage functions
- Add comprehensive tests for storage context isolation

Storage locations:
- CLI: stackit-cli keyring, ~/.stackit/cli-auth-storage.txt
- API: stackit-cli-api keyring, ~/.stackit/cli-api-auth-storage.txt
@franklouwers
Refactor auth flows to support storage contexts
b2d6321 
Update authentication flows to support multiple storage contexts,
enabling context-aware token management and refresh.

Key changes:
- Add *WithContext() variants for auth functions
- Update user login flow to accept storage context parameter
- Store access token expiry (JWT exp claim) instead of session expiry
- Update token refresh to write tokens back to correct context
- Add getAccessTokenExpiresAtUnix() to parse JWT exp claim
- Update tests to use new context-aware functions

This enables proper token refresh and bidirectional sync for both
CLI and API authentication contexts.
@franklouwers
Add API authentication commands for SDK/Terraform integration
0a36ff6 
Introduce 'stackit auth api' subcommand group to enable Terraform Provider
and SDK to use CLI user credentials instead of requiring service accounts
for local development.

New commands:
- stackit auth api login: Authenticate for SDK/Terraform usage
- stackit auth api logout: Remove API credentials
- stackit auth api get-access-token: Get valid access token (with auto-refresh)
- stackit auth api status: Show API authentication status

API auth uses separate storage context (StorageContextAPI) from CLI auth,
allowing concurrent authentication with different accounts.
@franklouwers franklouwers requested a review from a team as a code owner November 27, 2025 22:19
@franklouwers franklouwers mentioned this pull request Nov 27, 2025
Open
11 tasks
franklouwers added a commit to franklouwers/terraform-provider-stackit that referenced this pull request Nov 28, 2025
@franklouwers
feat: add CLI authentication support for provider configuration
42832a0 
This commit adds support for CLI-based authentication in the Terraform
provider, enabling users to authenticate using credentials from the
STACKIT CLI without managing separate service account credentials.

Changes:
- Add cli_auth boolean attribute to enable CLI authentication
- Add cli_profile string attribute for profile selection
- Implement authentication priority: explicit credentials > CLI > env vars
- Integrate with SDK's WithCLIProviderAuth() configuration option

The implementation follows the explicit opt-in pattern requested in
RFC stackitcloud#880, requiring users to set cli_auth = true to enable the feature.
Profile resolution follows the standard precedence: explicit config >
STACKIT_CLI_PROFILE env var > ~/.config/stackit/cli-profile.txt > default.

This change depends on SDK PR stackitcloud/stackit-sdk-go#3865 which
adds the core CLI authentication functionality, and CLI PR
stackitcloud/stackit-cli#1130 which implements the provider credential
storage.

Closes stackitcloud#719
Related to stackitcloud#880
@franklouwers franklouwers mentioned this pull request Nov 28, 2025
Open
12 tasks
franklouwers added a commit to franklouwers/terraform-provider-stackit that referenced this pull request Nov 28, 2025
@franklouwers
feat: add CLI authentication support for provider configuration
5872de6 
This commit adds support for CLI-based authentication in the Terraform
provider, enabling users to authenticate using credentials from the
STACKIT CLI without managing separate service account credentials.

Changes:
- Add cli_auth boolean attribute to enable CLI authentication
- Add cli_profile string attribute for profile selection
- Implement authentication priority: explicit credentials > CLI > env vars
- Integrate with SDK's WithCLIProviderAuth() configuration option

The implementation follows the explicit opt-in pattern requested in
RFC stackitcloud#880, requiring users to set cli_auth = true to enable the feature.
Profile resolution follows the standard precedence: explicit config >
STACKIT_CLI_PROFILE env var > ~/.config/stackit/cli-profile.txt > default.

This change depends on SDK PR stackitcloud/stackit-sdk-go#3865 which
adds the core CLI authentication functionality, and CLI PR
stackitcloud/stackit-cli#1130 which implements the provider credential
storage.

Closes stackitcloud#719
Related to stackitcloud#880
franklouwers and others added 5 commits November 28, 2025 09:16
@franklouwers
go fmt
1849c74
@franklouwers @claude
Fix test failures by using correct StorageContext constant
55d3b42 
Replace undefined StorageContextProvider with StorageContextAPI
throughout storage_test.go. Also update test expectations for
keyring service names and text file names to match actual
implementation (stackit-cli-api instead of stackit-cli-provider).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@franklouwers @claude
Fix command paths in auth api examples
6710db7 
Update example commands to use correct path 'stackit auth api'
instead of 'stackit auth provider' in login, logout, and
get-access-token commands.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@franklouwers
"make generate-docs" -> docs
f011f08
@franklouwers @claude
Fix linter warnings in auth storage code
928f2be 
- Add nolint comments for false positive gosec warnings on auth field constants
- Remove unused legacy backward compatibility constants
- Remove unused createEncodedTextFile wrapper function
- Add nolint comment for storagePrinter variable (used via SetStoragePrinter)
- Add nolint comment for test credential false positive

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@JorTurFer
Copy link
Contributor

JorTurFer commented Nov 28, 2025

Hello
Probably this is a naive question, but which is the difference between the new stackit auth api login and the old stackit auth login. I mean, they look quite similar, just for different user profiles

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

has internal tracking issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@franklouwers @JorTurFer @marceljk